CVE-2024-57981
- Source
- https://cve.org/CVERecord?id=CVE-2024-57981
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-57981.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-57981
- Downstream
- Related
- Published
- 2025-02-27T02:07:07.489Z
- Modified
- 2026-03-20T12:41:05.172092Z
- Summary
- usb: xhci: Fix NULL pointer dereference on certain command aborts
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
usb: xhci: Fix NULL pointer dereference on certain command aborts
If a command is queued to the final usable TRB of a ring segment, the enqueue pointer is advanced to the subsequent link TRB and no further. If the command is later aborted, when the abort completion is handled the dequeue pointer is advanced to the first TRB of the next segment.
If no further commands are queued, xhcihandlestoppedcmdring() sees the ring pointers unequal and assumes that there is a pending command, so it calls xhcimodcmdtimer() which crashes if curcmd was NULL.
Don't attempt timer setup if cur_cmd is NULL. The subsequent doorbell ring likely is unnecessary too, but it's harmless. Leave it alone.
This is probably Bug 219532, but no confirmation has been received.
The issue has been independently reproduced and confirmed fixed using a USB MCU programmed to NAK the Status stage of SET_ADDRESS forever. Everything continued working normally after several prevented crashes.
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/57xxx/CVE-2024-57981.json" }- References
-
- https://git.kernel.org/stable/c/0ce5c0dac768be14afe2426101b568a0f66bfc4d
- https://git.kernel.org/stable/c/1e0a19912adb68a4b2b74fd77001c96cd83eb073
- https://git.kernel.org/stable/c/4ff18870af793ce2034a6ad746e91d0a3d985b88
- https://git.kernel.org/stable/c/ae069cd2ba09a2bd6a87a68c59ef0b7ea39cd641
- https://git.kernel.org/stable/c/b44253956407046e5907d4d72c8fa5b93ae94485
- https://git.kernel.org/stable/c/b649f0d5bc256f691c7d234c3986685d54053de1
- https://git.kernel.org/stable/c/cf30300a216a4f8dce94e11781a866a09d4b50d4
- https://git.kernel.org/stable/c/fd8bfaeba4a85b14427899adec0efb3954300653
- https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html
- https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/57xxx/CVE-2024-57981.json
- https://nvd.nist.gov/vuln/detail/CVE-2024-57981
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedc311e391a7efd101250c0e123286709b7e736249Fixedfd8bfaeba4a85b14427899adec0efb3954300653Fixedb44253956407046e5907d4d72c8fa5b93ae94485Fixedcf30300a216a4f8dce94e11781a866a09d4b50d4Fixed4ff18870af793ce2034a6ad746e91d0a3d985b88Fixedb649f0d5bc256f691c7d234c3986685d54053de1Fixedae069cd2ba09a2bd6a87a68c59ef0b7ea39cd641Fixed0ce5c0dac768be14afe2426101b568a0f66bfc4dFixed1e0a19912adb68a4b2b74fd77001c96cd83eb073