CVE-2025-40314

In the _cdnspgadgetinit() and cdnspgadgetexit() functions, the gadget structure (pdev->gadget) was freed before its endpoints. The endpoints are linked via the eplist in the gadget structure. Freeing the gadget first leaves dangling pointers in the endpoint list. When the endpoints are subsequently freed, this results in a use-after-free.

Fix: By separating the usbdelgadgetudc() operation into distinct "del" and "put" steps, cdnspgadgetfreeendpoints() can be executed prior to the final release of the gadget structure with usbputgadget().

A patch similar to bb9c74a5bd14("usb: dwc3: gadget: Free gadget structure only after freeing endpoints").

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40314.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

8bc1901ca7b07d864fca11461b3875b31f949765

Fixed

0cf9a50af91fbdac3849f8d950e883a3eaa3ecea

Fixed

37158ce6ba964b62d1e3eebd11f03c6900a52dd1

Fixed

ea37884097a0931abb8e11e40eacfb25e9fdb5e9

Fixed

9c52f01429c377a2d32cafc977465f37b5384f77

Fixed

fdf573c517627a96f5040f988e9b21267806be5c

Fixed

87c5ff5615dc0a37167e8faf3adeeddc6f1344a3

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40314.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.3.0

Fixed

5.15.197

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

6.1.159

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.117

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.58

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.17.8

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40314.json"