CVE-2026-23009

Description

In the Linux kernel, the following vulnerability has been resolved:xhci: sideband: dont dereference freed ring when removing sideband endpointxhci_sideband_remove_endpoint() incorrecly assumes that the endpoint isrunning and has a valid transfer ring.Lianqin reported a crash during suspend/wake-up stress testing, andfound the cause to be dereferencing a non-existing transfer ringep->ring during xhci_sideband_remove_endpoint().The endpoint and its ring may be in unknown state if this functionis called after xHCI was reinitialized in resume (lost power), or ifdevice is being re-enumerated, disconnected or endpoint already dropped.Fix this by both removing unnecessary ring access, and by checkingep->ring exists before dereferencing it. Also make sure endpoint isrunning before attempting to stop it.Remove the xhci_initialize_ring_info() call during sideband endpointremoval as is it only initializes ring structure enqueue, dequeue andcycle state values to their starting values without changing actualhardware enqueue, dequeue and cycle state. Leaving them out of syncis worse than leaving it as it is. The endpoint will get freed in afterthis in most usecases.If the (audio) class driver wants to reuse the endpoint after offloadthen it is up to the class driver to ensure endpoint is properly set up.

Risk Information

Base Score

5.5

MODERATE

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Score

Exploitation Probability

0.019

Associated Vulnerability

No records found

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234