CVE-2025-38134

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-38134
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38134.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-38134
Downstream
Published
2025-07-03T09:15:27Z
Modified
2025-08-09T20:01:27Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

usb: acpi: Prevent null pointer dereference in usbacpiaddusb4devlink()

As demonstrated by the fix for updateportdevicestate, commit 12783c0b9e2c ("usb: core: Prevent null pointer dereference in updateportdevicestate"), usbhubtostructhub() can return NULL in certain scenarios, such as during hub driver unbind or teardown race conditions, even if the underlying usb_device structure exists.

Plus, all other places that call usbhubtostructhub() in the same file do check for NULL return values.

If usbhubtostructhub() returns NULL, the subsequent access to hub->ports[udev->portnum - 1] will cause a null pointer dereference.

References

Affected packages