CVE-2025-68287
Description
In the Linux kernel, the following vulnerability has been resolved:
usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths
This patch addresses a race condition caused by unsynchronized execution of multiple call paths invoking dwc3_remove_requests(), leading to premature freeing of USB requests and subsequent crashes.
Three distinct execution paths interact with dwc3_remove_requests(): Path 1: Triggered via dwc3_gadget_reset_interrupt() during USB reset handling. The call stack includes: - dwc3_ep0_reset_state() - dwc3_ep0_stall_and_restart() - dwc3_ep0_out_start() - dwc3_remove_requests() - dwc3_gadget_del_and_unmap_request()
Path 2: Also initiated from dwc3_gadget_reset_interrupt(), but through dwc3_stop_active_transfers(). The call stack includes: - dwc3_stop_active_transfers() - dwc3_remove_requests() - dwc3_gadget_del_and_unmap_request()
Path 3: Occurs independently during adb root execution, which triggers USB function unbind and bind operations. The sequence includes: - gserial_disconnect() - usb_ep_disable() - dwc3_gadget_ep_disable() - dwc3_remove_requests() with -ESHUTDOWN status
Path 3 operates asynchronously and lacks synchronization with Paths 1 and 2. When Path 3 completes, it disables endpoints and frees 'out' requests. If Paths 1 or 2 are still processing these requests, accessing freed memory leads to a crash due to use-after-free conditions.
To fix this added check for request completion and skip processing if already completed and added the request status for ep0 while queue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in the Linux kernel's DWC3 USB driver can cause use-after-free when multiple call paths invoke dwc3_remove_requests() concurrently.
Root
Cause
A race condition exists in the DWC3 USB gadget driver because dwc3_remove_requests() can be invoked concurrently via three distinct code paths. Paths 1 and 2 both originate from dwc3_gadget_reset_interrupt() during USB reset handling—one through dwc3_ep0_reset_state() and the other through dwc3_stop_active_transfers(). Path 3 occurs independently during USB function unbind/bind operations (e.g., during adb root), calling dwc3_remove_requests() with -ESHUTDOWN status. These paths lack synchronization, so when Path 3 completes and frees out requests, Paths 1 or 2 may still be processing those same requests, leading to a use-after-free condition and kernel crash [1][2][3].
Exploitation and
Impact
An attacker with physical USB access or the ability to trigger USB resets combined with function unbind events (e.g., via adb) could exploit this race. Successful exploitation results in a denial of service (kernel crash) due to accessing freed memory. The vulnerability affects systems running the Linux kernel with the DWC3 USB controller driver, commonly found in devices using USB Type-C or OTG [1][2][3].
Mitigation
The fix adds a check for request completion before processing and introduces request status tracking for endpoint zero (ep0) to prevent use-after-free. The patch has been applied to multiple stable kernel branches. Users should update to a kernel version containing the fix [1][2][3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/467add9db13219101f14b6cc5477998b4aaa5fe2nvd
- git.kernel.org/stable/c/47de14d741cc4057046c9e2f33df1f7828254e6cnvd
- git.kernel.org/stable/c/67192e8cb7f941b5bba91e4bb290683576ce1607nvd
- git.kernel.org/stable/c/7cfb62888eba292fa35cd9ddbd28ce595f60e139nvd
- git.kernel.org/stable/c/afc0e34f161ce61ad351303c46eb57bd44b8b090nvd
- git.kernel.org/stable/c/e4037689a366743c4233966f0e74bc455820d316nvd
- git.kernel.org/stable/c/fa5eaf701e576880070b60922200557ae4aa54e1nvd
News mentions
0No linked articles in our index yet.