CVE-2025-38376 in Linux
Summary
by MITRE • 07/25/2025
In the Linux kernel, the following vulnerability has been resolved:
usb: chipidea: udc: disconnect/reconnect from host when do suspend/resume
Shawn and John reported a hang issue during system suspend as below:
- USB gadget is enabled as Ethernet - There is data transfer over USB Ethernet (scp a big file between host and device) - Device is going in/out suspend (echo mem > /sys/power/state)
The root cause is the USB device controller is suspended but the USB bus is still active which caused the USB host continues to transfer data with device and the device continues to queue USB requests (in this case, a delayed TCP ACK packet trigger the issue) after controller is suspended, however the USB controller clock is already gated off. Then if udc driver access registers after that point, the system will hang.
The correct way to avoid such issue is to disconnect device from host when the USB bus is not at suspend state. Then the host will receive disconnect event and stop data transfer in time. To continue make USB gadget device work after system resume, this will reconnect device automatically.
To make usb wakeup work if USB bus is already at suspend state, this will keep connection for it only when USB device controller has enabled wakeup capability.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 12/23/2025
This vulnerability exists in the Linux kernel's USB chipidea USB Device Controller (UDC) driver implementation and represents a critical synchronization issue during system power management operations. The flaw manifests when a USB gadget device operating as Ethernet functionality experiences data transfer while the system undergoes suspend/resume cycles, creating a race condition between hardware state management and software driver operations. The vulnerability specifically affects systems where USB Ethernet gadget functionality is active during power state transitions, making it particularly relevant for embedded devices, IoT systems, and mobile platforms that rely on USB gadget mode for network connectivity. This issue directly impacts system stability and reliability during normal power management operations, potentially causing complete system hangs that require manual intervention or power cycling.
The technical root cause stems from improper handling of USB controller state transitions during system suspend operations. When the USB device controller is suspended but the USB bus remains active, a critical timing gap emerges where the host controller continues to attempt data transfers while the device controller's clock has been gated off. This creates a scenario where USB requests are queued and processed in an inconsistent state, leading to memory access violations and system lockups. The vulnerability is particularly triggered by delayed TCP ACK packets that occur during large data transfers, which act as a catalyst for the race condition between the suspended controller and active host communications. The issue demonstrates poor adherence to power management protocols where device state synchronization fails to account for the asynchronous nature of USB bus operations and controller clock gating mechanisms.
The operational impact of this vulnerability extends beyond simple system hangs to encompass complete loss of system responsiveness during critical power management operations. During suspend operations, the system becomes unresponsive as the USB controller attempts to process requests without proper hardware support, creating a deadlock condition that prevents normal system resume operations. This vulnerability is especially problematic in embedded systems where automatic power management is essential for battery optimization and device functionality. The issue affects not only desktop and server environments but also mobile and IoT devices that rely on USB gadget functionality for network connectivity, potentially rendering devices unusable until manual intervention occurs. Additionally, the vulnerability undermines the reliability of USB wakeup mechanisms, which are crucial for maintaining system functionality in low-power states.
Mitigation strategies for this vulnerability require careful implementation of proper USB controller state management during suspend/resume operations. The recommended approach involves implementing explicit device disconnection from the host when the USB bus is not in suspend state, ensuring that host controllers receive appropriate disconnect events before hardware resources are deactivated. This approach aligns with the ATT&CK framework's power management abuse techniques and CWE-362 which addresses race conditions in concurrent systems. The solution must also incorporate automatic reconnection mechanisms upon system resume to maintain USB gadget functionality while preserving the correct power management behavior. For systems requiring USB wakeup capability, the implementation should maintain connection state only when the USB device controller has enabled wakeup capabilities, preventing premature resource deallocation during suspend operations. Organizations should implement comprehensive testing procedures that validate USB gadget functionality during power management scenarios and ensure proper driver updates to address this specific vulnerability in the Linux kernel's USB subsystem.