Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2025-68287

Опубликовано: 16 дек. 2025
Источник: nvd
EPSS Низкий

Описание

In the Linux kernel, the following vulnerability has been resolved:

usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths

This patch addresses a race condition caused by unsynchronized execution of multiple call paths invoking dwc3_remove_requests(), leading to premature freeing of USB requests and subsequent crashes.

Three distinct execution paths interact with dwc3_remove_requests(): Path 1: Triggered via dwc3_gadget_reset_interrupt() during USB reset handling. The call stack includes:

  • dwc3_ep0_reset_state()
  • dwc3_ep0_stall_and_restart()
  • dwc3_ep0_out_start()
  • dwc3_remove_requests()
  • dwc3_gadget_del_and_unmap_request()

Path 2: Also initiated from dwc3_gadget_reset_interrupt(), but through dwc3_stop_active_transfers(). The call stack includes:

  • dwc3_stop_active_transfers()
  • dwc3_remove_requests()
  • dwc3_gadget_del_and_unmap_request()

Path 3: Occurs independently during adb root execution, which triggers USB function

Ссылки

EPSS

Процентиль: 6%
0.00024
Низкий

Дефекты

Связанные уязвимости

debian логотип

CVE-2025-68287

debian
3 дня назад

In the Linux kernel, the following vulnerability has been resolved: u ...

github логотип

GHSA-23wc-qh4p-pmrr

github
3 дня назад

In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths This patch addresses a race condition caused by unsynchronized execution of multiple call paths invoking `dwc3_remove_requests()`, leading to premature freeing of USB requests and subsequent crashes. Three distinct execution paths interact with `dwc3_remove_requests()`: Path 1: Triggered via `dwc3_gadget_reset_interrupt()` during USB reset handling. The call stack includes: - `dwc3_ep0_reset_state()` - `dwc3_ep0_stall_and_restart()` - `dwc3_ep0_out_start()` - `dwc3_remove_requests()` - `dwc3_gadget_del_and_unmap_request()` Path 2: Also initiated from `dwc3_gadget_reset_interrupt()`, but through `dwc3_stop_active_transfers()`. The call stack includes: - `dwc3_stop_active_transfers()` - `dwc3_remove_requests()` - `dwc3_gadget_del_and_unmap_request()` Path 3: Occurs independently during `adb root` execution, which triggers USB funct...

EPSS

Процентиль: 6%
0.00024
Низкий

Дефекты