CVE-2025-21776 in Linuxinfo

Summary

by MITRE • 02/27/2025

In the Linux kernel, the following vulnerability has been resolved:

USB: hub: Ignore non-compliant devices with too many configs or interfaces

Robert Morris created a test program which can cause usb_hub_to_struct_hub() to dereference a NULL or inappropriate pointer:

Oops: general protection fault, probably for non-canonical address 0xcccccccccccccccc: 0000 [#1] SMP DEBUG_PAGEALLOC PTI
CPU: 7 UID: 0 PID: 117 Comm: kworker/7:1 Not tainted 6.13.0-rc3-00017-gf44d154d6e3d #14 Hardware name: FreeBSD BHYVE/BHYVE, BIOS 14.0 10/17/2021 Workqueue: usb_hub_wq hub_event RIP: 0010:usb_hub_adjust_deviceremovable+0x78/0x110 ... Call Trace: ? die_addr+0x31/0x80 ? exc_general_protection+0x1b4/0x3c0 ? asm_exc_general_protection+0x26/0x30 ? usb_hub_adjust_deviceremovable+0x78/0x110 hub_probe+0x7c7/0xab0 usb_probe_interface+0x14b/0x350 really_probe+0xd0/0x2d0 ? __pfx___device_attach_driver+0x10/0x10 __driver_probe_device+0x6e/0x110 driver_probe_device+0x1a/0x90 __device_attach_driver+0x7e/0xc0 bus_for_each_drv+0x7f/0xd0 __device_attach+0xaa/0x1a0 bus_probe_device+0x8b/0xa0 device_add+0x62e/0x810 usb_set_configuration+0x65d/0x990 usb_generic_driver_probe+0x4b/0x70 usb_probe_device+0x36/0xd0

The cause of this error is that the device has two interfaces, and the hub driver binds to interface 1 instead of interface 0, which is where usb_hub_to_struct_hub() looks.

We can prevent the problem from occurring by refusing to accept hub devices that violate the USB spec by having more than one configuration or interface.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 05/25/2026

The vulnerability identified as CVE-2025-21776 represents a critical security flaw within the Linux kernel's USB subsystem that could lead to system instability and potential privilege escalation. This issue manifests in the usb_hub_to_struct_hub() function where improper handling of non-compliant USB devices can result in null pointer dereferences and general protection faults. The vulnerability specifically targets the USB hub driver's behavior when processing devices that violate USB specifications by containing excessive configurations or interfaces. The flaw was discovered through testing with a specialized program created by Robert Morris that systematically triggers the problematic code path, causing kernel oops conditions and system crashes.

The technical root cause of this vulnerability lies in the improper validation of USB device descriptors within the kernel's USB hub driver implementation. When a USB device presents itself with multiple configurations or interfaces, the driver's binding logic can incorrectly select interface 1 instead of the expected interface 0, which contains the critical hub structure information. This misbinding causes usb_hub_to_struct_hub() to attempt operations on improperly initialized or null structures, leading to memory access violations. The vulnerability operates at the kernel level where the USB subsystem interacts with hardware device descriptors, making it particularly dangerous as it can be exploited to cause system crashes or potentially enable privilege escalation attacks. The error manifests as a general protection fault with a non-canonical address value of 0xcccccccccccccccc, indicating memory corruption in kernel space.

From an operational impact perspective, this vulnerability affects any Linux system running kernel versions that include the affected USB hub driver code, particularly those supporting USB 2.0 and USB 3.0 devices. The vulnerability can be triggered remotely through USB device connections, making it particularly concerning for systems that automatically accept USB devices without user confirmation. The attack vector requires an attacker to connect a specially crafted malicious USB device that violates USB specifications by presenting multiple configurations or interfaces. This type of vulnerability can be leveraged in supply chain attacks or physical access scenarios where an attacker can connect malicious USB devices to target systems, potentially leading to denial of service conditions or system compromise. The vulnerability aligns with CWE-476 which addresses null pointer dereference issues in software systems.

The mitigation strategy for this vulnerability involves implementing stricter validation of USB device descriptors before allowing the hub driver to process them. The recommended approach is to refuse acceptance of hub devices that violate USB specifications by having more than one configuration or interface, effectively preventing the problematic code path from being executed. This solution aligns with defensive programming principles and follows the principle of least privilege by rejecting non-compliant devices at the point of entry. System administrators should ensure that their kernels are updated with patches that include the fix for this vulnerability, which typically involves modifying the USB hub driver to validate device descriptors against USB specification compliance before attempting to bind to device interfaces. The fix should be implemented in accordance with security best practices and should be tested thoroughly to ensure it does not introduce regressions in legitimate USB device functionality. Organizations should also consider implementing USB device whitelisting policies and monitoring for suspicious USB device connections as additional layers of defense against potential exploitation of this vulnerability.

Responsible

Linux

Reservation

12/29/2024

Disclosure

02/27/2025

Moderation

accepted

CPE

ready

EPSS

0.00229

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!