CVE-2025-22023

{"id": "CVE-2025-22023", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2025-04-16T11:15:42.987", "references": [{"url": "https://git.kernel.org/stable/c/49cf6f5293aeb706dd672608478336a003f37df6", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/58d0a3fab5f4fdc112c16a4c6d382f62097afd1c", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6af20ac254cbd0e1178a3542767c9308e209eee5", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/de9e78167f760a699806793d7c987239e4f6c8c3", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci: Don't skip on Stopped - Length Invalid\n\nUp until commit d56b0b2ab142 (\"usb: xhci: ensure skipped isoc TDs are\nreturned when isoc ring is stopped\") in v6.11, the driver didn't skip\nmissed isochronous TDs when handling Stoppend and Stopped - Length\nInvalid events. Instead, it erroneously cleared the skip flag, which\nwould cause the ring to get stuck, as future events won't match the\nmissed TD which is never removed from the queue until it's cancelled.\n\nThis buggy logic seems to have been in place substantially unchanged\nsince the 3.x series over 10 years ago, which probably speaks first\nand foremost about relative rarity of this case in normal usage, but\nby the spec I see no reason why it shouldn't be possible.\n\nAfter d56b0b2ab142, TDs are immediately skipped when handling those\nStopped events. This poses a potential problem in case of Stopped -\nLength Invalid, which occurs either on completed TDs (likely already\ngiven back) or Link and No-Op TRBs. Such event won't be recognized\nas matching any TD (unless it's the rare Link TRB inside a TD) and\nwill result in skipping all pending TDs, giving them back possibly\nbefore they are done, risking isoc data loss and maybe UAF by HW.\n\nAs a compromise, don't skip and don't clear the skip flag on this\nkind of event. Then the next event will skip missed TDs. A downside\nof not handling Stopped - Length Invalid on a Link inside a TD is\nthat if the TD is cancelled, its actual length will not be updated\nto account for TRBs (silently) completed before the TD was stopped.\n\nI had no luck producing this sequence of completion events so there\nis no compelling demonstration of any resulting disaster. It may be\na very rare, obscure condition. The sole motivation for this patch\nis that if such unlikely event does occur, I'd rather risk reporting\na cancelled partially done isoc frame as empty than gamble with UAF.\n\nThis will be fixed more properly by looking at Stopped event's TRB\npointer when making skipping decisions, but such rework is unlikely\nto be backported to v6.12, which will stay around for a few years."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: xhci: Don't skip on Stopped - Length Invalid Hasta el commit d56b0b2ab142 (\"usb: xhci: ensure skipped isoc TDs are returns when is stopped ring\") en v6.11, el controlador no omit\u00eda los TD is\u00f3cronos omitidos al gestionar los eventos Stoppend y Stopped - Length Invalid. En su lugar, borraba err\u00f3neamente el indicador de omisi\u00f3n, lo que provocar\u00eda que el anillo se atascara, ya que los eventos futuros no coincidir\u00e1n con el TD omitido, que nunca se elimina de la cola hasta que se cancela. Esta l\u00f3gica defectuosa parece haber estado en su lugar sustancialmente sin cambios desde la serie 3.x hace m\u00e1s de 10 a\u00f1os, lo que probablemente habla en primer lugar sobre la relativa rareza de este caso en el uso normal, pero por la especificaci\u00f3n no veo raz\u00f3n por la que no deber\u00eda ser posible. Despu\u00e9s de d56b0b2ab142, los TD se omiten inmediatamente al gestionar los eventos \"Detenidos\". Esto plantea un problema potencial en caso de \"Detenido - Longitud Inv\u00e1lida\", que ocurre en TD completados (probablemente ya devueltos) o en TRB de Enlace y No-Op. Este evento no se reconocer\u00e1 como coincidente con ning\u00fan TD (a menos que se trate del inusual TRB de Enlace dentro de un TD) y provocar\u00e1 la omisi\u00f3n de todos los TD pendientes, devolvi\u00e9ndolos posiblemente antes de que finalicen, con el riesgo de p\u00e9rdida de datos de isoc y posiblemente un fallo de hardware no operativo (UAF). Como soluci\u00f3n intermedia, no omita ni borre el indicador de omisi\u00f3n en este tipo de evento. De este modo, el siguiente evento omitir\u00e1 los TD omitidos. Una desventaja de no gestionar \"Detenido - Longitud Inv\u00e1lida\" en un Enlace dentro de un TD es que, si el TD se cancela, su longitud real no se actualizar\u00e1 para tener en cuenta los TRB completados (silenciosamente) antes de que se detuviera el TD. No tuve \u00e9xito en generar esta secuencia de eventos de finalizaci\u00f3n, por lo que no hay una demostraci\u00f3n convincente de ning\u00fan desastre resultante. Puede ser una condici\u00f3n muy rara y desconocida. La \u00fanica motivaci\u00f3n para este parche es que, si ocurre un evento tan improbable, prefiero arriesgarme a reportar un marco isoc cancelado parcialmente completado como vac\u00edo que arriesgarme con UAF. Esto se solucionar\u00e1 mejor analizando el puntero TRB del evento detenido al tomar decisiones de omisi\u00f3n, pero es poco probable que esta modificaci\u00f3n se incorpore a la versi\u00f3n 6.12, que se mantendr\u00e1 vigente durante algunos a\u00f1os."}], "lastModified": "2025-10-28T18:53:05.190", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "953630F8-9980-4613-A819-89F00EDB3E8E", "versionEndExcluding": "6.12.22", "versionStartIncluding": "6.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E9410CA0-CED8-49BE-9DB4-856654736C32", "versionEndExcluding": "6.13.10", "versionStartIncluding": "6.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "82E37853-46C8-4BB6-9FA4-9838FD34D6A2"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}