{ "threat_severity" : "Important", "public_date" : "2025-12-16T00:00:00Z", "bugzilla" : { "description" : "kernel: usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths", "id" : "2422788", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2422788" }, "cvss3" : { "cvss3_base_score" : "7.0", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-364", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nusb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths\nThis patch addresses a race condition caused by unsynchronized\nexecution of multiple call paths invoking `dwc3_remove_requests()`,\nleading to premature freeing of USB requests and subsequent crashes.\nThree distinct execution paths interact with `dwc3_remove_requests()`:\nPath 1:\nTriggered via `dwc3_gadget_reset_interrupt()` during USB reset\nhandling. The call stack includes:\n- `dwc3_ep0_reset_state()`\n- `dwc3_ep0_stall_and_restart()`\n- `dwc3_ep0_out_start()`\n- `dwc3_remove_requests()`\n- `dwc3_gadget_del_and_unmap_request()`\nPath 2:\nAlso initiated from `dwc3_gadget_reset_interrupt()`, but through\n`dwc3_stop_active_transfers()`. The call stack includes:\n- `dwc3_stop_active_transfers()`\n- `dwc3_remove_requests()`\n- `dwc3_gadget_del_and_unmap_request()`\nPath 3:\nOccurs independently during `adb root` execution, which triggers\nUSB function unbind and bind operations. The sequence includes:\n- `gserial_disconnect()`\n- `usb_ep_disable()`\n- `dwc3_gadget_ep_disable()`\n- `dwc3_remove_requests()` with `-ESHUTDOWN` status\nPath 3 operates asynchronously and lacks synchronization with Paths\n1 and 2. When Path 3 completes, it disables endpoints and frees 'out'\nrequests. If Paths 1 or 2 are still processing these requests,\naccessing freed memory leads to a crash due to use-after-free conditions.\nTo fix this added check for request completion and skip processing\nif already completed and added the request status for ep0 while queue.", "A use-after-free vulnerability was found in the DWC3 USB controller driver in the Linux kernel. Multiple unsynchronized execution paths can invoke dwc3_remove_requests() concurrently, leading to premature freeing of USB requests. When one path frees requests while another is still processing them, a use-after-free crash occurs." ], "statement" : "This affects systems with DWC3-based USB controllers, commonly found in ARM SoCs. The race is triggered by USB reset events concurrent with function unbind operations (e.g., during adb root).", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2026-01-12T00:00:00Z", "advisory" : "RHSA-2026:0453", "cpe" : "cpe:/o:redhat:enterprise_linux:10.1", "package" : "kernel-0:6.12.0-124.27.1.el10_1" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-01-19T00:00:00Z", "advisory" : "RHSA-2026:0793", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-611.24.1.el9_7" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-01-19T00:00:00Z", "advisory" : "RHSA-2026:0793", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-611.24.1.el9_7" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2026-01-14T00:00:00Z", "advisory" : "RHSA-2026:0576", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0", "package" : "kernel-0:5.14.0-70.161.1.el9_0" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2026-01-14T00:00:00Z", "advisory" : "RHSA-2026:0537", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0::nfv", "package" : "kernel-rt-0:5.14.0-70.161.1.rt21.233.el9_0" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2026-01-14T00:00:00Z", "advisory" : "RHSA-2026:0535", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2", "package" : "kernel-0:5.14.0-284.152.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2026-01-14T00:00:00Z", "advisory" : "RHSA-2026:0534", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2::nfv", "package" : "kernel-rt-0:5.14.0-284.152.1.rt14.437.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2026-01-13T00:00:00Z", "advisory" : "RHSA-2026:0489", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "kernel-0:5.14.0-427.106.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support", "release_date" : "2026-01-12T00:00:00Z", "advisory" : "RHSA-2026:0457", "cpe" : "cpe:/a:redhat:rhel_eus:9.6", "package" : "kernel-0:5.14.0-570.77.1.el9_6" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-68287\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-68287\nhttps://lore.kernel.org/linux-cve-announce/2025121638-CVE-2025-68287-5647@gregkh/T" ], "name" : "CVE-2025-68287", "csaw" : false }