CVE-2024-57981 in Linux
Summary
by MITRE • 02/27/2025
In the Linux kernel, the following vulnerability has been resolved:
usb: xhci: Fix NULL pointer dereference on certain command aborts
If a command is queued to the final usable TRB of a ring segment, the enqueue pointer is advanced to the subsequent link TRB and no further. If the command is later aborted, when the abort completion is handled the dequeue pointer is advanced to the first TRB of the next segment.
If no further commands are queued, xhci_handle_stopped_cmd_ring() sees the ring pointers unequal and assumes that there is a pending command, so it calls xhci_mod_cmd_timer() which crashes if cur_cmd was NULL.
Don't attempt timer setup if cur_cmd is NULL. The subsequent doorbell ring likely is unnecessary too, but it's harmless. Leave it alone.
This is probably Bug 219532, but no confirmation has been received.
The issue has been independently reproduced and confirmed fixed using a USB MCU programmed to NAK the Status stage of SET_ADDRESS forever. Everything continued working normally after several prevented crashes.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/24/2026
The vulnerability CVE-2024-57981 represents a critical NULL pointer dereference flaw within the Linux kernel's USB xhci driver implementation. This issue specifically affects the handling of command aborts in the USB eXtensible Host Controller Interface (xHCI) subsystem, which governs USB 3.0 and later connectivity operations. The flaw manifests when commands are queued to the final usable Transfer Request Block (TRB) of a ring segment, creating a complex state management scenario that leads to system instability. The xHCI driver maintains circular rings of TRBs for command processing, and the interaction between enqueue and dequeue pointers becomes problematic during specific abort conditions.
The technical root cause stems from improper state validation during command completion handling. When a command is queued to the final TRB of a segment and subsequently aborted, the driver advances the dequeue pointer to the first TRB of the next segment. However, the subsequent handling logic in xhci_handle_stopped_cmd_ring() does not properly account for cases where the current command pointer (cur_cmd) becomes NULL. This function incorrectly assumes that unequal ring pointers indicate pending commands and attempts to set up a command timer through xhci_mod_cmd_timer(), which crashes when cur_cmd is NULL. The flaw demonstrates poor error handling and state management in the USB command processing pipeline, creating a potential denial of service condition.
This vulnerability directly impacts system stability and reliability, particularly in environments where USB devices are frequently connected and disconnected or where USB commands are processed under high load conditions. The operational impact extends beyond simple system crashes, as the flaw can cause complete system hangs or reboots during USB command processing operations. The issue is particularly concerning in server environments, embedded systems, and devices that rely heavily on USB connectivity for critical operations. The vulnerability affects systems running Linux kernel versions that include the problematic xhci driver implementation, potentially exposing a wide range of devices from desktop computers to industrial control systems.
The fix implemented addresses the core issue by adding a NULL check before attempting timer setup operations. This defensive programming approach prevents the invalid memory access that would otherwise occur when cur_cmd is NULL. The solution maintains backward compatibility while ensuring proper state handling during command abort scenarios. Additional verification through USB MCU testing with NAK responses during SET_ADDRESS operations confirms the effectiveness of the patch. This vulnerability aligns with CWE-476, which addresses NULL pointer dereference issues, and could potentially be leveraged in attacks targeting system stability through USB command injection or manipulation, though the direct attack surface remains limited to USB subsystem interactions. The fix demonstrates proper error handling practices and follows established security principles for robust kernel driver development.