{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-57981", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-02-27T02:04:28.913Z", "datePublished": "2025-02-27T02:07:07.489Z", "dateUpdated": "2025-03-24T15:37:27.646Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-03-24T15:37:27.646Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci: Fix NULL pointer dereference on certain command aborts\n\nIf a command is queued to the final usable TRB of a ring segment, the\nenqueue pointer is advanced to the subsequent link TRB and no further.\nIf the command is later aborted, when the abort completion is handled\nthe dequeue pointer is advanced to the first TRB of the next segment.\n\nIf no further commands are queued, xhci_handle_stopped_cmd_ring() sees\nthe ring pointers unequal and assumes that there is a pending command,\nso it calls xhci_mod_cmd_timer() which crashes if cur_cmd was NULL.\n\nDon't attempt timer setup if cur_cmd is NULL. The subsequent doorbell\nring likely is unnecessary too, but it's harmless. Leave it alone.\n\nThis is probably Bug 219532, but no confirmation has been received.\n\nThe issue has been independently reproduced and confirmed fixed using\na USB MCU programmed to NAK the Status stage of SET_ADDRESS forever.\nEverything continued working normally after several prevented crashes."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/usb/host/xhci-ring.c"], "versions": [{"version": "c311e391a7efd101250c0e123286709b7e736249", "lessThan": "fd8bfaeba4a85b14427899adec0efb3954300653", "status": "affected", "versionType": "git"}, {"version": "c311e391a7efd101250c0e123286709b7e736249", "lessThan": "b44253956407046e5907d4d72c8fa5b93ae94485", "status": "affected", "versionType": "git"}, {"version": "c311e391a7efd101250c0e123286709b7e736249", "lessThan": "cf30300a216a4f8dce94e11781a866a09d4b50d4", "status": "affected", "versionType": "git"}, {"version": "c311e391a7efd101250c0e123286709b7e736249", "lessThan": "4ff18870af793ce2034a6ad746e91d0a3d985b88", "status": "affected", "versionType": "git"}, {"version": "c311e391a7efd101250c0e123286709b7e736249", "lessThan": "b649f0d5bc256f691c7d234c3986685d54053de1", "status": "affected", "versionType": "git"}, {"version": "c311e391a7efd101250c0e123286709b7e736249", "lessThan": "ae069cd2ba09a2bd6a87a68c59ef0b7ea39cd641", "status": "affected", "versionType": "git"}, {"version": "c311e391a7efd101250c0e123286709b7e736249", "lessThan": "0ce5c0dac768be14afe2426101b568a0f66bfc4d", "status": "affected", "versionType": "git"}, {"version": "c311e391a7efd101250c0e123286709b7e736249", "lessThan": "1e0a19912adb68a4b2b74fd77001c96cd83eb073", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/usb/host/xhci-ring.c"], "versions": [{"version": "3.16", "status": "affected"}, {"version": "0", "lessThan": "3.16", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.291", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.235", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.179", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.129", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.76", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.13", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.13.2", "lessThanOrEqual": "6.13.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.14", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/fd8bfaeba4a85b14427899adec0efb3954300653"}, {"url": "https://git.kernel.org/stable/c/b44253956407046e5907d4d72c8fa5b93ae94485"}, {"url": "https://git.kernel.org/stable/c/cf30300a216a4f8dce94e11781a866a09d4b50d4"}, {"url": "https://git.kernel.org/stable/c/4ff18870af793ce2034a6ad746e91d0a3d985b88"}, {"url": "https://git.kernel.org/stable/c/b649f0d5bc256f691c7d234c3986685d54053de1"}, {"url": "https://git.kernel.org/stable/c/ae069cd2ba09a2bd6a87a68c59ef0b7ea39cd641"}, {"url": "https://git.kernel.org/stable/c/0ce5c0dac768be14afe2426101b568a0f66bfc4d"}, {"url": "https://git.kernel.org/stable/c/1e0a19912adb68a4b2b74fd77001c96cd83eb073"}], "title": "usb: xhci: Fix NULL pointer dereference on certain command aborts", "x_generator": {"engine": "bippy-5f407fcff5a0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "9244F393-9DC7-4BC2-A176-D235D5853C12", "versionEndExcluding": "6.1.129", "versionStartIncluding": "3.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A6D70701-9CB6-4222-A957-00A419878993", "versionEndExcluding": "6.6.76", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "2897389C-A8C3-4D69-90F2-E701B3D66373", "versionEndExcluding": "6.12.13", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "6D4116B1-1BFD-4F23-BA84-169CC05FC5A3", "versionEndExcluding": "6.13.2", "versionStartIncluding": "6.13", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci: Fix NULL pointer dereference on certain command aborts\n\nIf a command is queued to the final usable TRB of a ring segment, the\nenqueue pointer is advanced to the subsequent link TRB and no further.\nIf the command is later aborted, when the abort completion is handled\nthe dequeue pointer is advanced to the first TRB of the next segment.\n\nIf no further commands are queued, xhci_handle_stopped_cmd_ring() sees\nthe ring pointers unequal and assumes that there is a pending command,\nso it calls xhci_mod_cmd_timer() which crashes if cur_cmd was NULL.\n\nDon't attempt timer setup if cur_cmd is NULL. The subsequent doorbell\nring likely is unnecessary too, but it's harmless. Leave it alone.\n\nThis is probably Bug 219532, but no confirmation has been received.\n\nThe issue has been independently reproduced and confirmed fixed using\na USB MCU programmed to NAK the Status stage of SET_ADDRESS forever.\nEverything continued working normally after several prevented crashes."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: xhci: Fix NULL pointer dereference on certain command aborts Si un comando se pone en cola en el TRB utilizable final de un segmento de anillo, el puntero de encolado avanza al TRB de enlace posterior y no m\u00e1s all\u00e1. Si el comando se aborta m\u00e1s tarde, cuando se maneja la finalizaci\u00f3n del aborto, el puntero de desencolado avanza al primer TRB del siguiente segmento. Si no se ponen en cola m\u00e1s comandos, xhci_handle_stopped_cmd_ring() ve que los punteros de anillo son desiguales y supone que hay un comando pendiente, por lo que llama a xhci_mod_cmd_timer() que se bloquea si cur_cmd era NULL. No intente configurar el temporizador si cur_cmd es NULL. El timbre de puerta posterior probablemente tambi\u00e9n sea innecesario, pero es inofensivo. D\u00e9jelo en paz. Probablemente se trate del error 219532, pero no se ha recibido confirmaci\u00f3n. El problema se ha reproducido de forma independiente y se ha confirmado que se ha solucionado utilizando una MCU USB programada para anular la etapa de estado de SET_ADDRESS para siempre. Todo sigui\u00f3 funcionando normalmente despu\u00e9s de varios fallos evitados."}], "id": "CVE-2024-57981", "lastModified": "2025-03-13T13:15:43.150", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-02-27T02:15:11.293", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"], "url": "https://git.kernel.org/stable/c/0ce5c0dac768be14afe2426101b568a0f66bfc4d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"], "url": "https://git.kernel.org/stable/c/1e0a19912adb68a4b2b74fd77001c96cd83eb073"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"], "url": "https://git.kernel.org/stable/c/4ff18870af793ce2034a6ad746e91d0a3d985b88"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"], "url": "https://git.kernel.org/stable/c/ae069cd2ba09a2bd6a87a68c59ef0b7ea39cd641"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b44253956407046e5907d4d72c8fa5b93ae94485"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Mailing List", "Patch"], "url": "https://git.kernel.org/stable/c/b649f0d5bc256f691c7d234c3986685d54053de1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/cf30300a216a4f8dce94e11781a866a09d4b50d4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/fd8bfaeba4a85b14427899adec0efb3954300653"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: usb: xhci: Fix NULL pointer dereference on certain command aborts", "id": "2348620", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348620"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-476", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nusb: xhci: Fix NULL pointer dereference on certain command aborts\nIf a command is queued to the final usable TRB of a ring segment, the\nenqueue pointer is advanced to the subsequent link TRB and no further.\nIf the command is later aborted, when the abort completion is handled\nthe dequeue pointer is advanced to the first TRB of the next segment.\nIf no further commands are queued, xhci_handle_stopped_cmd_ring() sees\nthe ring pointers unequal and assumes that there is a pending command,\nso it calls xhci_mod_cmd_timer() which crashes if cur_cmd was NULL.\nDon't attempt timer setup if cur_cmd is NULL. The subsequent doorbell\nring likely is unnecessary too, but it's harmless. Leave it alone.\nThis is probably Bug 219532, but no confirmation has been received.\nThe issue has been independently reproduced and confirmed fixed using\na USB MCU programmed to NAK the Status stage of SET_ADDRESS forever.\nEverything continued working normally after several prevented crashes."], "name": "CVE-2024-57981", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-02-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-57981\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-57981\nhttps://lore.kernel.org/linux-cve-announce/2025022635-CVE-2024-57981-bba6@gregkh/T"], "threat_severity": "Moderate"}