CVE-2025-68734

The vulnerability resides in the hfcsusb_probe() function within the Linux kernel's ISDN subsystem (drivers/isdn/hfcsusb.c). When the probe function is called, it allocates memory for a control URB (ctrl_urb) via usb_alloc_urb(). If the subsequent call to setup_instance() fails and returns an error code, the function returns directly without freeing the previously allocated ctrl_urb. This causes a memory leak [1].

The leak can be triggered during device enumeration when a USB ISDN adapter handled by this driver is plugged in but the internal setup routine fails (e.g., due to hardware issues or resource constraints). No special privileges or authentication are required; an unprivileged user or automated system could cause the leak by repeatedly connecting a faulty or maliciously crafted USB device that triggers the error path [1].

An attacker who can repeatedly cause the probe failure can exhaust kernel memory over time, potentially leading to denial of service (system instability or crash). The impact is limited to memory exhaustion; there is no evidence of code execution or privilege escalation from this specific leak [1].

The fix has been applied in the mainline Linux kernel and backported to stable releases via commits such as 475032fa2bb8, 03695541b334, 3f7c72bc73c4, and 6dce43433e06 [1][2][3][4]. The patch ensures that ctrl_urb is freed before the error return, and converts the error paths to use a goto ladder style for consistency. Users should update their kernel to a version containing the fix or apply the patch manually.