Race Condition in Linux Kernel USB Handling Affects Device Performance
CVE-2025-68287
What is CVE-2025-68287?
A race condition vulnerability has been identified in the Linux kernel's USB handling mechanism, specifically in the dwc3_remove_requests() function. This flaw occurs due to unsynchronized executions from multiple call paths, triggering premature freeing of USB requests. As a result, accessing already freed memory can lead to system crashes caused by use-after-free conditions. The vulnerability manifests through three main execution paths involving USB reset handling and asynchronous operations during ADB execution. To mitigate this risk, a patch has been implemented that checks for request completion before processing, ensuring safe and reliable USB operations.
Affected Version(s)
Linux 72246da40f3719af3bfd104a2365b32537c27d83 < 467add9db13219101f14b6cc5477998b4aaa5fe2
Linux 72246da40f3719af3bfd104a2365b32537c27d83 < 67192e8cb7f941b5bba91e4bb290683576ce1607
Linux 72246da40f3719af3bfd104a2365b32537c27d83 < 47de14d741cc4057046c9e2f33df1f7828254e6c