Null Pointer Dereference in Linux Kernel USB Component
CVE-2025-38134

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 3 July 2025

What is CVE-2025-38134?

A vulnerability exists within the USB subsystem of the Linux kernel that can lead to a null pointer dereference. Specifically, the function usb_hub_to_struct_hub() may return NULL under certain conditions, particularly during race conditions in hub driver unbinding or teardown scenarios, despite the usb_device structure being present. This could cause a critical failure in the kernel when subsequent attempts are made to access hub ports without proper null checks.

Affected Version(s)

Linux f1bfb4a6fed64de1771b43a76631942279851744 < 8fa544bff8466062e42949c93f3e528f4be5624b

Linux f1bfb4a6fed64de1771b43a76631942279851744

Linux f1bfb4a6fed64de1771b43a76631942279851744 < 73fb0ec9436ae87bcae067ce35d6cdd72bade86c

References

https://git.kernel.org/stable/c/8fa544bff8466062e42949c93...

https://git.kernel.org/stable/c/e3d530173b70514d4390a94f9...

https://git.kernel.org/stable/c/73fb0ec9436ae87bcae067ce3...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 3, 2025
Vulnerability Reserved
Apr 16, 2025