Linux Kernel USB Gadget Vulnerability in Driver Operations
CVE-2025-21838

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 7 March 2025

Summary

A flaw has been identified in the Linux kernel's USB gadget subsystem, specifically during the device removal process. When a device is deleted, the function device_del() may inadvertently schedule new work in the device's workqueue, potentially leading to unexpected behavior or resource leaks. This issue has been exemplified in the dwc3 driver where improper handling during gadget disconnection could occur. To mitigate this vulnerability, it is essential to ensure that flush_work() is called following device_del() to effectively clean up the workqueue and prevent lingering tasks from executing.

Affected Version(s)

Linux 5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15

Linux 5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15 < 859cb45aefa6de823b2fa7f229fe6d9562c9f3b7

Linux 5702f75375aa9ecf8ad3431aef3fe6ce8c8dbd15

References

https://git.kernel.org/stable/c/e3bc1a9a67ce33a2e761e6e7b...

https://git.kernel.org/stable/c/859cb45aefa6de823b2fa7f22...

https://git.kernel.org/stable/c/f894448f3904d7ad66fecef8f...

Timeline

Vulnerability published
Mar 7, 2025
Vulnerability Reserved
Dec 29, 2024