CVE-2026-23009
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-25

Last updated on: 2026-03-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: xhci: sideband: don't dereference freed ring when removing sideband endpoint xhci_sideband_remove_endpoint() incorrecly assumes that the endpoint is running and has a valid transfer ring. Lianqin reported a crash during suspend/wake-up stress testing, and found the cause to be dereferencing a non-existing transfer ring 'ep->ring' during xhci_sideband_remove_endpoint(). The endpoint and its ring may be in unknown state if this function is called after xHCI was reinitialized in resume (lost power), or if device is being re-enumerated, disconnected or endpoint already dropped. Fix this by both removing unnecessary ring access, and by checking ep->ring exists before dereferencing it. Also make sure endpoint is running before attempting to stop it. Remove the xhci_initialize_ring_info() call during sideband endpoint removal as is it only initializes ring structure enqueue, dequeue and cycle state values to their starting values without changing actual hardware enqueue, dequeue and cycle state. Leaving them out of sync is worse than leaving it as it is. The endpoint will get freed in after this in most usecases. If the (audio) class driver want's to reuse the endpoint after offload then it is up to the class driver to ensure endpoint is properly set up.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-25
Last Modified
2026-03-25
Generated
2026-05-07
AI Q&A
2026-01-25
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23009
EUVD
EUVD-2026-4619
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.16
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 6.16.1 (inc) to 6.18.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in the Linux kernel's xHCI driver occurs because the function xhci_sideband_remove_endpoint() incorrectly assumes that the USB endpoint is running and has a valid transfer ring. During certain conditions like suspend/wake-up cycles, device re-enumeration, or disconnection, the endpoint's transfer ring may no longer exist or be in an unknown state. Dereferencing this freed or non-existing ring leads to a crash. The fix involves removing unnecessary access to the ring, checking if the ring exists before dereferencing, and ensuring the endpoint is running before stopping it.


How can this vulnerability impact me? :

This vulnerability can cause system crashes during suspend/wake-up cycles or when USB devices are re-enumerated or disconnected. Such crashes can lead to system instability, potential data loss, or denial of service due to the kernel fault triggered by dereferencing freed memory.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update the Linux kernel to a version where the xhci sideband endpoint removal issue is fixed. This fix ensures that the kernel checks if the endpoint's transfer ring exists before dereferencing it and removes unnecessary ring access during endpoint removal. Additionally, ensure that any audio class drivers properly set up endpoints if they intend to reuse them after offload, as the kernel no longer initializes ring info during sideband endpoint removal.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart