CVE-2026-23009 (GCVE-0-2026-23009)

Vulnerability from cvelistv5 – Published: 2026-01-25 14:36 – Updated: 2026-02-09 08:37
VLAI?
Title
xhci: sideband: don't dereference freed ring when removing sideband endpoint
Summary
In the Linux kernel, the following vulnerability has been resolved: xhci: sideband: don't dereference freed ring when removing sideband endpoint xhci_sideband_remove_endpoint() incorrecly assumes that the endpoint is running and has a valid transfer ring. Lianqin reported a crash during suspend/wake-up stress testing, and found the cause to be dereferencing a non-existing transfer ring 'ep->ring' during xhci_sideband_remove_endpoint(). The endpoint and its ring may be in unknown state if this function is called after xHCI was reinitialized in resume (lost power), or if device is being re-enumerated, disconnected or endpoint already dropped. Fix this by both removing unnecessary ring access, and by checking ep->ring exists before dereferencing it. Also make sure endpoint is running before attempting to stop it. Remove the xhci_initialize_ring_info() call during sideband endpoint removal as is it only initializes ring structure enqueue, dequeue and cycle state values to their starting values without changing actual hardware enqueue, dequeue and cycle state. Leaving them out of sync is worse than leaving it as it is. The endpoint will get freed in after this in most usecases. If the (audio) class driver want's to reuse the endpoint after offload then it is up to the class driver to ensure endpoint is properly set up.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: de66754e9f8029f8ae955a588959b99cab56b506 , < 34f6634dba87ef72b3c3a3a524be663adef7ab42 (git)
Affected: de66754e9f8029f8ae955a588959b99cab56b506 , < dd83dc1249737b837ac5d57c81f2b0977c613d9f (git)
Create a notification for this product.
    Linux Linux Affected: 6.16
Unaffected: 0 , < 6.16 (semver)
Unaffected: 6.18.7 , ≤ 6.18.* (semver)
Unaffected: 6.19 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/host/xhci-sideband.c",
            "drivers/usb/host/xhci.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "34f6634dba87ef72b3c3a3a524be663adef7ab42",
              "status": "affected",
              "version": "de66754e9f8029f8ae955a588959b99cab56b506",
              "versionType": "git"
            },
            {
              "lessThan": "dd83dc1249737b837ac5d57c81f2b0977c613d9f",
              "status": "affected",
              "version": "de66754e9f8029f8ae955a588959b99cab56b506",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/host/xhci-sideband.c",
            "drivers/usb/host/xhci.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.16"
            },
            {
              "lessThan": "6.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.7",
                  "versionStartIncluding": "6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19",
                  "versionStartIncluding": "6.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxhci: sideband: don\u0027t dereference freed ring when removing sideband endpoint\n\nxhci_sideband_remove_endpoint() incorrecly assumes that the endpoint is\nrunning and has a valid transfer ring.\n\nLianqin reported a crash during suspend/wake-up stress testing, and\nfound the cause to be dereferencing a non-existing transfer ring\n\u0027ep-\u003ering\u0027 during xhci_sideband_remove_endpoint().\n\nThe endpoint and its ring may be in unknown state if this function\nis called after xHCI was reinitialized in resume (lost power), or if\ndevice is being re-enumerated, disconnected or endpoint already dropped.\n\nFix this by both removing unnecessary ring access, and by checking\nep-\u003ering exists before dereferencing it. Also make sure endpoint is\nrunning before attempting to stop it.\n\nRemove the xhci_initialize_ring_info() call during sideband endpoint\nremoval as is it only initializes ring structure enqueue, dequeue and\ncycle state values to their starting values without changing actual\nhardware enqueue, dequeue and cycle state. Leaving them out of sync\nis worse than leaving it as it is. The endpoint will get freed in after\nthis in most usecases.\n\nIf the (audio) class driver want\u0027s to reuse the endpoint after offload\nthen it is up to the class driver to ensure endpoint is properly set up."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-09T08:37:02.075Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/34f6634dba87ef72b3c3a3a524be663adef7ab42"
        },
        {
          "url": "https://git.kernel.org/stable/c/dd83dc1249737b837ac5d57c81f2b0977c613d9f"
        }
      ],
      "title": "xhci: sideband: don\u0027t dereference freed ring when removing sideband endpoint",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23009",
    "datePublished": "2026-01-25T14:36:22.817Z",
    "dateReserved": "2026-01-13T15:37:45.939Z",
    "dateUpdated": "2026-02-09T08:37:02.075Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-23009\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-01-25T15:15:55.767\",\"lastModified\":\"2026-03-25T19:53:47.933\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nxhci: sideband: don\u0027t dereference freed ring when removing sideband endpoint\\n\\nxhci_sideband_remove_endpoint() incorrecly assumes that the endpoint is\\nrunning and has a valid transfer ring.\\n\\nLianqin reported a crash during suspend/wake-up stress testing, and\\nfound the cause to be dereferencing a non-existing transfer ring\\n\u0027ep-\u003ering\u0027 during xhci_sideband_remove_endpoint().\\n\\nThe endpoint and its ring may be in unknown state if this function\\nis called after xHCI was reinitialized in resume (lost power), or if\\ndevice is being re-enumerated, disconnected or endpoint already dropped.\\n\\nFix this by both removing unnecessary ring access, and by checking\\nep-\u003ering exists before dereferencing it. Also make sure endpoint is\\nrunning before attempting to stop it.\\n\\nRemove the xhci_initialize_ring_info() call during sideband endpoint\\nremoval as is it only initializes ring structure enqueue, dequeue and\\ncycle state values to their starting values without changing actual\\nhardware enqueue, dequeue and cycle state. Leaving them out of sync\\nis worse than leaving it as it is. The endpoint will get freed in after\\nthis in most usecases.\\n\\nIf the (audio) class driver want\u0027s to reuse the endpoint after offload\\nthen it is up to the class driver to ensure endpoint is properly set up.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\\n\\nxhci: banda lateral: no desreferenciar el anillo liberado al eliminar el punto final de banda lateral\\n\\nxhci_sideband_remove_endpoint() asume incorrectamente que el punto final est\u00e1 en ejecuci\u00f3n y tiene un anillo de transferencia v\u00e1lido.\\n\\nLianqin inform\u00f3 de un fallo durante las pruebas de estr\u00e9s de suspensi\u00f3n/activaci\u00f3n, y encontr\u00f3 que la causa era la desreferenciaci\u00f3n de un anillo de transferencia inexistente \u0027ep-\u0026gt;ring\u0027 durante xhci_sideband_remove_endpoint().\\n\\nEl punto final y su anillo pueden estar en un estado desconocido si esta funci\u00f3n se llama despu\u00e9s de que xHCI fuera reinicializado en la reanudaci\u00f3n (p\u00e9rdida de energ\u00eda), o si el dispositivo est\u00e1 siendo reenumerado, desconectado o el punto final ya ha sido descartado.\\n\\nSolucione esto eliminando el acceso innecesario al anillo y comprobando que \u0027ep-\u0026gt;ring\u0027 existe antes de desreferenciarlo. Tambi\u00e9n aseg\u00farese de que el punto final est\u00e9 en ejecuci\u00f3n antes de intentar detenerlo.\\n\\nElimine la llamada a xhci_initialize_ring_info() durante la eliminaci\u00f3n del punto final de banda lateral, ya que solo inicializa los valores de estado de encolamiento, desencolamiento y ciclo de la estructura del anillo a sus valores iniciales sin cambiar el estado real de encolamiento, desencolamiento y ciclo del hardware. Dejarlos fuera de sincronizaci\u00f3n es peor que dejarlo como est\u00e1. El punto final ser\u00e1 liberado despu\u00e9s de esto en la mayor\u00eda de los casos de uso.\\n\\nSi el controlador de clase (de audio) desea reutilizar el punto final despu\u00e9s de la descarga, entonces es responsabilidad del controlador de clase asegurar que el punto final est\u00e9 configurado correctamente.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.16.1\",\"versionEndExcluding\":\"6.18.7\",\"matchCriteriaId\":\"93EB4FA7-6AD6-4923-B7A8-9F5B3940F93F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.16:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"6238B17D-C12B-458F-A138-97039BFC4595\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"17B67AA7-40D6-4AFA-8459-F200F3D7CFD1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"C47E4CC9-C826-4FA9-B014-7FE3D9B318B2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"F71D92C0-C023-48BD-B3B6-70B638EEE298\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"13580667-0A98-40CC-B29F-D12790B91BDB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*\",\"matchCriteriaId\":\"3EF854A1-ABB1-4E93-BE9A-44569EC76C0D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*\",\"matchCriteriaId\":\"F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*\",\"matchCriteriaId\":\"EB5B7DFC-C36B-45D8-922C-877569FDDF43\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/34f6634dba87ef72b3c3a3a524be663adef7ab42\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/dd83dc1249737b837ac5d57c81f2b0977c613d9f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.