CVE-2026-23009

{"id": "CVE-2026-23009", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2026-01-25T15:15:55.767", "references": [{"url": "https://git.kernel.org/stable/c/34f6634dba87ef72b3c3a3a524be663adef7ab42", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/dd83dc1249737b837ac5d57c81f2b0977c613d9f", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxhci: sideband: don't dereference freed ring when removing sideband endpoint\n\nxhci_sideband_remove_endpoint() incorrecly assumes that the endpoint is\nrunning and has a valid transfer ring.\n\nLianqin reported a crash during suspend/wake-up stress testing, and\nfound the cause to be dereferencing a non-existing transfer ring\n'ep->ring' during xhci_sideband_remove_endpoint().\n\nThe endpoint and its ring may be in unknown state if this function\nis called after xHCI was reinitialized in resume (lost power), or if\ndevice is being re-enumerated, disconnected or endpoint already dropped.\n\nFix this by both removing unnecessary ring access, and by checking\nep->ring exists before dereferencing it. Also make sure endpoint is\nrunning before attempting to stop it.\n\nRemove the xhci_initialize_ring_info() call during sideband endpoint\nremoval as is it only initializes ring structure enqueue, dequeue and\ncycle state values to their starting values without changing actual\nhardware enqueue, dequeue and cycle state. Leaving them out of sync\nis worse than leaving it as it is. The endpoint will get freed in after\nthis in most usecases.\n\nIf the (audio) class driver want's to reuse the endpoint after offload\nthen it is up to the class driver to ensure endpoint is properly set up."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nxhci: banda lateral: no desreferenciar el anillo liberado al eliminar el punto final de banda lateral\n\nxhci_sideband_remove_endpoint() asume incorrectamente que el punto final est\u00e1 en ejecuci\u00f3n y tiene un anillo de transferencia v\u00e1lido.\n\nLianqin inform\u00f3 de un fallo durante las pruebas de estr\u00e9s de suspensi\u00f3n/activaci\u00f3n, y encontr\u00f3 que la causa era la desreferenciaci\u00f3n de un anillo de transferencia inexistente 'ep->ring' durante xhci_sideband_remove_endpoint().\n\nEl punto final y su anillo pueden estar en un estado desconocido si esta funci\u00f3n se llama despu\u00e9s de que xHCI fuera reinicializado en la reanudaci\u00f3n (p\u00e9rdida de energ\u00eda), o si el dispositivo est\u00e1 siendo reenumerado, desconectado o el punto final ya ha sido descartado.\n\nSolucione esto eliminando el acceso innecesario al anillo y comprobando que 'ep->ring' existe antes de desreferenciarlo. Tambi\u00e9n aseg\u00farese de que el punto final est\u00e9 en ejecuci\u00f3n antes de intentar detenerlo.\n\nElimine la llamada a xhci_initialize_ring_info() durante la eliminaci\u00f3n del punto final de banda lateral, ya que solo inicializa los valores de estado de encolamiento, desencolamiento y ciclo de la estructura del anillo a sus valores iniciales sin cambiar el estado real de encolamiento, desencolamiento y ciclo del hardware. Dejarlos fuera de sincronizaci\u00f3n es peor que dejarlo como est\u00e1. El punto final ser\u00e1 liberado despu\u00e9s de esto en la mayor\u00eda de los casos de uso.\n\nSi el controlador de clase (de audio) desea reutilizar el punto final despu\u00e9s de la descarga, entonces es responsabilidad del controlador de clase asegurar que el punto final est\u00e9 configurado correctamente."}], "lastModified": "2026-03-25T19:53:47.933", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "93EB4FA7-6AD6-4923-B7A8-9F5B3940F93F", "versionEndExcluding": "6.18.7", "versionStartIncluding": "6.16.1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.16:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6238B17D-C12B-458F-A138-97039BFC4595"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EB5B7DFC-C36B-45D8-922C-877569FDDF43"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}