CVE-2026-43431
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
xhci: Fix NULL pointer dereference when reading portli debugfs files
Michal reported and debgged a NULL pointer dereference bug in the recently added portli debugfs files
Oops is caused when there are more port registers counted in xhci->max_ports than ports reported by Supported Protocol capabilities. This is possible if max_ports is more than maximum port number, or if there are gaps between ports of different speeds the 'Supported Protocol' capabilities.
In such cases port->rhub will be NULL so we can't reach xhci behind it. Add an explicit NULL check for this case, and print portli in hex without dereferencing port->rhub.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 384c57ec720597f8104f69082cdd261abb998b80 < 9c8bef223c6e991276188d30d74bdb2cbd8be652 | affected |
| Linux | Linux | 384c57ec720597f8104f69082cdd261abb998b80 < ae4ff9dead5efa2025eddfcdb29411432bf40a7c | affected |
| Linux | Linux | 6.19 | affected |
| Linux | Linux | 0 < 6.19 | unaffected |
| Linux | Linux | 6.19.9 <= 6.19.* | unaffected |
| Linux | Linux | 7.0 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/9c8bef223c6e991276188d30d74bdb2cbd8be652
- https://git.kernel.org/stable/c/ae4ff9dead5efa2025eddfcdb29411432bf40a7c
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.