CVE-2025-37882— usb: xhci: Fix isochronous Ring Underrun/Overrun event handling
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-37882
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
usb: xhci: Fix isochronous Ring Underrun/Overrun event handling
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Fix isochronous Ring Underrun/Overrun event handling The TRB pointer of these events points at enqueue at the time of error occurrence on xHCI 1.1+ HCs or it's NULL on older ones. By the time we are handling the event, a new TD may be queued at this ring position. I can trigger this race by rising interrupt moderation to increase IRQ handling delay. Similar delay may occur naturally due to system load. If this ever happens after a Missed Service Error, missed TDs will be skipped and the new TD processed as if it matched the event. It could be given back prematurely, risking data loss or buffer UAF by the xHC. Don't complete TDs on xrun events and don't warn if queued TDs don't match the event's TRB pointer, which can be NULL or a link/no-op TRB. Don't warn if there are no queued TDs at all. Now that it's safe, also handle xrun events if the skip flag is clear. This ensures completion of any TD stuck in 'error mid TD' state right before the xrun event, which could happen if a driver submits a finite number of URBs to a buggy HC and then an error occurs on the last TD.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于未正确处理等时环欠载或过载事件,可能导致数据丢失。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2025-37882
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-37882
请登录查看更多情报信息。
Same Patch Batch · Linux · 2025-05-09 · 52 CVEs total
| CVE-2025-37873 | eth: bnxt: fix missing ring index trim on error path | |
| CVE-2025-37889 | ASoC: ops: Consistently treat platform_max as control value | |
| CVE-2025-37888 | net/mlx5: Fix null-ptr-deref in mlx5_create_{inner_,}ttc_table() | |
| CVE-2025-37883 | s390/sclp: Add check for get_zeroed_page() | |
| CVE-2025-37886 | pds_core: make wait_context part of q_info | |
| CVE-2025-37885 | KVM: x86: Reset IRTE to host control if *new* route isn't postable | |
| CVE-2025-37884 | bpf: Fix deadlock between rcu_tasks_trace and event_mutex. | |
| CVE-2025-37887 | pds_core: handle unsupported PDS_CORE_CMD_FW_CONTROL result | |
| CVE-2025-37875 | igc: fix PTM cycle trigger logic | |
| CVE-2025-37874 | net: ngbe: fix memory leak in ngbe_probe() error path | |
| CVE-2025-37876 | netfs: Only create /proc/fs/netfs with CONFIG_PROC_FS | |
| CVE-2025-37872 | net: txgbe: fix memory leak in txgbe_probe() error path | |
| CVE-2025-37871 | nfsd: decrease sc_count directly if fail to queue dl_recall | |
| CVE-2025-37870 | drm/amd/display: prevent hang on link training fail | |
| CVE-2025-37869 | drm/xe: Use local fence in error path of xe_migrate_clear | |
| CVE-2025-37868 | drm/xe/userptr: fix notifier vs folio deadlock | |
| CVE-2025-37867 | RDMA/core: Silence oversized kvmalloc() warning | |
| CVE-2025-37866 | mlxbf-bootctl: use sysfs_emit_at() in secure_boot_fuse_state_show() | |
| CVE-2025-37865 | net: dsa: mv88e6xxx: fix -ENOENT when deleting VLANs and MST is unsupported | |
| CVE-2025-37864 | net: dsa: clean up FDB, MDB, VLAN entries on unbind |
Showing top 20 of 52 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
Same vendor: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
V. Comments for CVE-2025-37882
No comments yet