Linux Kernel up to 6.6.1 _dwc2_hcd_urb_enqueue null pointer dereference

| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 4.6 | $0-$5k | 0.00 |
Summary
A vulnerability identified as critical has been detected in Linux Kernel up to 6.6.1. This affects the function _dwc2_hcd_urb_enqueue. Performing a manipulation results in null pointer dereference.
This vulnerability is known as CVE-2023-52855. No exploit is available.
You should upgrade the affected component.
Details
A vulnerability, which was classified as critical, was found in Linux Kernel up to 6.6.1. This affects the function _dwc2_hcd_urb_enqueue. The manipulation with an unknown input leads to a null pointer dereference vulnerability. CWE is classifying the issue as CWE-476. A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. This is going to have an impact on availability. The summary by CVE is:
In the Linux kernel, the following vulnerability has been resolved: usb: dwc2: fix possible NULL pointer dereference caused by driver concurrency In _dwc2_hcd_urb_enqueue(), "urb->hcpriv = NULL" is executed without holding the lock "hsotg->lock". In _dwc2_hcd_urb_dequeue(): spin_lock_irqsave(&hsotg->lock, flags); ... if (!urb->hcpriv) { dev_dbg(hsotg->dev, "## urb->hcpriv is NULL ##\n"); goto out; } rc = dwc2_hcd_urb_dequeue(hsotg, urb->hcpriv); // Use urb->hcpriv ... out: spin_unlock_irqrestore(&hsotg->lock, flags); When _dwc2_hcd_urb_enqueue() and _dwc2_hcd_urb_dequeue() are concurrently executed, the NULL check of "urb->hcpriv" can be executed before "urb->hcpriv = NULL". After urb->hcpriv is NULL, it can be used in the function call to dwc2_hcd_urb_dequeue(), which can cause a NULL pointer dereference. This possible bug is found by an experimental static analysis tool developed by myself. This tool analyzes the locking APIs to extract function pairs that can be concurrently executed, and then analyzes the instructions in the paired functions to identify possible concurrency bugs including data races and atomicity violations. The above possible bug is reported, when my tool analyzes the source code of Linux 6.5. To fix this possible bug, "urb->hcpriv = NULL" should be executed with holding the lock "hsotg->lock". After using this patch, my tool never reports the possible bug, with the kernelconfiguration allyesconfig for x86_64. Because I have no associated hardware, I cannot test the patch in runtime testing, and just verify it according to the code logic.
It is possible to read the advisory at git.kernel.org. This vulnerability is uniquely identified as CVE-2023-52855. The exploitability is told to be difficult. Technical details of the vulnerability are known, but there is no available exploit.
The vulnerability scanner Nessus provides a plugin with the ID 239742 (TencentOS Server 2: kernel (TSSA-2024:1030)), which helps to determine the existence of the flaw in a target environment.
Upgrading to version 4.14.330, 4.19.299, 5.4.261, 5.10.201, 5.15.139, 6.1.63, 6.5.12 or 6.6.2 eliminates this vulnerability. Applying the patch 14c9ec34e811/fed492aa6493/64c47749fc75/bdb3dd409630/fcaafb574fc8/6b21a2272885/3e851a77a13c/a7bee9598afb/ef307bc6ef04 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.
The vulnerability is also documented in the vulnerability database at Tenable (239742). Be aware that VulDB is the high quality source for vulnerability data.
Product
Type
Vendor
Name
Version
- 4.14.329
- 4.19.298
- 5.0
- 5.1
- 5.2
- 5.3
- 5.4
- 5.4.260
- 5.5
- 5.6
- 5.7
- 5.8
- 5.9
- 5.10.200
- 5.15.138
- 6.1.0
- 6.1.1
- 6.1.2
- 6.1.3
- 6.1.4
- 6.1.5
- 6.1.6
- 6.1.7
- 6.1.8
- 6.1.9
- 6.1.10
- 6.1.11
- 6.1.12
- 6.1.13
- 6.1.14
- 6.1.15
- 6.1.16
- 6.1.17
- 6.1.18
- 6.1.19
- 6.1.20
- 6.1.21
- 6.1.22
- 6.1.23
- 6.1.24
- 6.1.25
- 6.1.26
- 6.1.27
- 6.1.28
- 6.1.29
- 6.1.30
- 6.1.31
- 6.1.32
- 6.1.33
- 6.1.34
- 6.1.35
- 6.1.36
- 6.1.37
- 6.1.38
- 6.1.39
- 6.1.40
- 6.1.41
- 6.1.42
- 6.1.43
- 6.1.44
- 6.1.45
- 6.1.46
- 6.1.47
- 6.1.48
- 6.1.49
- 6.1.50
- 6.1.51
- 6.1.52
- 6.1.53
- 6.1.54
- 6.1.55
- 6.1.56
- 6.1.57
- 6.1.58
- 6.1.59
- 6.1.60
- 6.1.61
- 6.1.62
- 6.5.0
- 6.5.1
- 6.5.2
- 6.5.3
- 6.5.4
- 6.5.5
- 6.5.6
- 6.5.7
- 6.5.8
- 6.5.9
- 6.5.10
- 6.5.11
- 6.6.0
- 6.6.1
License
Website
- Vendor: https://www.kernel.org/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 4.8VulDB Meta Temp Score: 4.6
VulDB Base Score: 4.8
VulDB Temp Score: 4.6
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Null pointer dereferenceCWE: CWE-476 / CWE-404
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Partially
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 239742
Nessus Name: TencentOS Server 2: kernel (TSSA-2024:1030)
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: Kernel 4.14.330/4.19.299/5.4.261/5.10.201/5.15.139/6.1.63/6.5.12/6.6.2
Patch: 14c9ec34e811/fed492aa6493/64c47749fc75/bdb3dd409630/fcaafb574fc8/6b21a2272885/3e851a77a13c/a7bee9598afb/ef307bc6ef04
Timeline
05/21/2024 🔍05/21/2024 🔍
06/20/2025 🔍
Sources
Vendor: kernel.orgAdvisory: git.kernel.org
Status: Confirmed
CVE: CVE-2023-52855 (🔍)
GCVE (CVE): GCVE-0-2023-52855
GCVE (VulDB): GCVE-100-265575
Entry
Created: 05/21/2024 18:48Updated: 06/20/2025 23:34
Changes: 05/21/2024 18:48 (56), 06/20/2025 23:34 (3)
Complete: 🔍
Cache ID: 216::103
Be aware that VulDB is the high quality source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.