CVE-2025-22050 in Linuxinfo

Summary

by MITRE • 04/16/2025

In the Linux kernel, the following vulnerability has been resolved:

usbnet:fix NPE during rx_complete

Missing usbnet_going_away Check in Critical Path. The usb_submit_urb function lacks a usbnet_going_away validation, whereas __usbnet_queue_skb includes this check.

This inconsistency creates a race condition where: A URB request may succeed, but the corresponding SKB data fails to be queued.

Subsequent processes: (e.g., rx_complete → defer_bh → __skb_unlink(skb, list)) attempt to access skb->next, triggering a NULL pointer dereference (Kernel Panic).

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 02/15/2026

The vulnerability described in CVE-2025-22050 represents a critical null pointer dereference issue within the Linux kernel's USB networking subsystem, specifically affecting the usbnet driver implementation. This flaw manifests as a race condition that occurs during the processing of received network packets, where the kernel fails to properly validate the device state before attempting to submit USB requests. The issue stems from an inconsistent approach in the codebase where the usb_submit_urb function does not perform the usbnet_going_away check that is present in the __usbnet_queue_skb function, creating a scenario where network traffic can be processed in an inconsistent state.

The technical implementation flaw arises from the absence of proper state validation in the critical path of USB network operations. When a USB network device is in the process of being disconnected or shut down, the usbnet_going_away flag should prevent new operations from proceeding to ensure data integrity and system stability. However, the usb_submit_urb function bypasses this validation while __usbnet_queue_skb properly includes it, leading to a race condition where URB (USB Request Block) submissions can succeed even when the underlying network device is no longer in a valid state for processing. This inconsistency allows for scenarios where the URB request completes successfully but the corresponding socket buffer (skb) data fails to be properly queued.

The operational impact of this vulnerability is severe, as it can lead to kernel panics and system crashes when the rx_complete function attempts to process the received data. During the normal packet processing flow, the kernel's receive completion handler calls defer_bh which then invokes __skb_unlink to remove the socket buffer from its list. This operation requires accessing the skb->next pointer, which becomes NULL when the race condition occurs, resulting in a null pointer dereference that terminates the kernel execution. The vulnerability affects systems running Linux kernels that utilize the usbnet driver for USB-based network connections, potentially impacting devices ranging from USB network adapters to embedded systems with USB networking capabilities.

This vulnerability maps directly to CWE-476, Null Pointer Dereference, and exhibits characteristics consistent with the ATT&CK technique T1489, Branch Execution Modification, as it exploits timing and state management inconsistencies in kernel networking operations. The race condition described aligns with the ATT&CK framework's approach to analyzing system-level vulnerabilities that leverage temporal inconsistencies in kernel operations. Organizations should implement immediate mitigations including kernel updates to versions containing the patched usbnet driver implementation, proper device state validation in USB network operations, and monitoring for kernel panic events related to USB networking subsystems. System administrators should also consider implementing proper USB device lifecycle management protocols to reduce exposure time during device disconnection events and ensure that all USB network devices are properly synchronized during shutdown procedures to prevent the race condition from occurring.

Responsible

Linux

Reservation

12/29/2024

Disclosure

04/16/2025

Moderation

accepted

CPE

ready

EPSS

0.00157

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!