CVE-2023-54277
Description
In the Linux kernel, the following vulnerability has been resolved:
fbdev: udlfb: Fix endpoint check
The syzbot fuzzer detected a problem in the udlfb driver, caused by an endpoint not having the expected type:
usb 1-1: Read EDID byte 0 failed: -71 usb 1-1: Unable to get valid EDID from device/display ------------[ cut here ]------------ usb 1-1: BOGUS urb xfer, pipe 3 != type 1 WARNING: CPU: 0 PID: 9 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504 Modules linked in: CPU: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.4.0-rc1-syzkaller-00016-ga4422ff22142 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 Workqueue: usb_hub_wq hub_event RIP: 0010:usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504 ... Call Trace:
dlfb_submit_urb+0x92/0x180 drivers/video/fbdev/udlfb.c:1980 dlfb_set_video_mode+0x21f0/0x2950 drivers/video/fbdev/udlfb.c:315 dlfb_ops_set_par+0x2a7/0x8d0 drivers/video/fbdev/udlfb.c:1111 dlfb_usb_probe+0x149a/0x2710 drivers/video/fbdev/udlfb.c:1743
The current approach for this issue failed to catch the problem because it only checks for the existence of a bulk-OUT endpoint; it doesn't check whether this endpoint is the one that the driver will actually use.
We can fix the problem by instead checking that the endpoint used by the driver does exist and is bulk-OUT.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Insufficient endpoint validation in udlfb driver causes a kernel BUG when a malicious USB device presents a non-bulk-OUT endpoint, fixed by checking the specific endpoint used.
Vulnerability
Overview In the Linux kernel's udlfb driver (fbdev/udlfb.c), a missing endpoint validation leads to a kernel warning and potential system crash. The driver only checked for the existence of a bulk-OUT endpoint, but did not verify that the endpoint it actually uses conforms to this type. This allows a malicious USB device to trigger a BOGUS urb xfer warning and a subsequent kernel BUG when usb_submit_urb() is called with mismatched endpoint parameters [1].
Exploitation
Conditions An attacker with physical access to the system can plug a malicious USB device that advertises a non-bulk-OUT endpoint (e.g., isochronous or interrupt) as the one the udlfb driver will use during probe. No authentication is required, and the attack can occur automatically via the USB hub event workqueue. The driver's dlfb_submit_urb() function is called during dlfb_set_video_mode(), which is invoked early in the probe sequence, leading to the crash [2].
Impact
Successful exploitation results in a kernel warning and a system crash (denial of service). The attacker gains no code execution or privilege escalation, but can cause repeated disruption by reconnecting the device. The issue affects all systems using the udlfb driver with vulnerable kernel versions prior to the patch [3].
Mitigation
The vulnerability is fixed in Linux kernel versions that include the commit which adds proper validation of the endpoint used by the driver, ensuring it exists and is of type bulk-OUT. Users should update to the latest stable kernel as soon as possible [1][2][3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
61522dc58bff858ecc165abda9e12c58a5ecec8fdf7feca77e19383e5dee5ed9de4ed3987Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- git.kernel.org/stable/c/1522dc58bff87af79461b96d90ec122e9e726004nvd
- git.kernel.org/stable/c/58ecc165abdaed85447455e6dc396758e8c6f219nvd
- git.kernel.org/stable/c/9e12c58a5ece41be72157cef348576b135c9fc72nvd
- git.kernel.org/stable/c/c8fdf7feca77cd99e25ef0a1e9e72dfc83add8efnvd
- git.kernel.org/stable/c/e19383e5dee5adbf3d19f3f210f440a88d1b7ddenvd
- git.kernel.org/stable/c/ed9de4ed39875706607fb08118a58344ae6c5f42nvd
News mentions
0No linked articles in our index yet.