Linux Kernel up to 6.18.6/6.19-rc5 xhci_sideband_remove_endpoint initialization

Summaryinfo

A vulnerability was found in Linux Kernel up to 6.18.6/6.19-rc5. It has been declared as critical. This impacts the function xhci_sideband_remove_endpoint. Such manipulation leads to initialization. This vulnerability is traded as CVE-2026-23009. There is no exploit available. It is recommended to upgrade the affected component.

Detailsinfo

A vulnerability was found in Linux Kernel up to 6.18.6/6.19-rc5 and classified as critical. Affected by this issue is the function xhci_sideband_remove_endpoint. The manipulation with an unknown input leads to a initialization vulnerability. Using CWE to declare the problem leads to CWE-665. The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used. Impacted is availability. CVE summarizes:

In the Linux kernel, the following vulnerability has been resolved: xhci: sideband: don't dereference freed ring when removing sideband endpoint xhci_sideband_remove_endpoint() incorrecly assumes that the endpoint is running and has a valid transfer ring. Lianqin reported a crash during suspend/wake-up stress testing, and found the cause to be dereferencing a non-existing transfer ring 'ep->ring' during xhci_sideband_remove_endpoint(). The endpoint and its ring may be in unknown state if this function is called after xHCI was reinitialized in resume (lost power), or if device is being re-enumerated, disconnected or endpoint already dropped. Fix this by both removing unnecessary ring access, and by checking ep->ring exists before dereferencing it. Also make sure endpoint is running before attempting to stop it. Remove the xhci_initialize_ring_info() call during sideband endpoint removal as is it only initializes ring structure enqueue, dequeue and cycle state values to their starting values without changing actual hardware enqueue, dequeue and cycle state. Leaving them out of sync is worse than leaving it as it is. The endpoint will get freed in after this in most usecases. If the (audio) class driver want's to reuse the endpoint after offload then it is up to the class driver to ensure endpoint is properly set up.

The advisory is shared for download at git.kernel.org. This vulnerability is handled as CVE-2026-23009 since 01/13/2026. The exploitation is known to be difficult. There are known technical details, but no exploit is available.

The vulnerability scanner Nessus provides a plugin with the ID 296543 (Linux Distros Unpatched Vulnerability : CVE-2026-23009), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 6.18.7 or 6.19-rc6 eliminates this vulnerability. Applying the patch 34f6634dba87ef72b3c3a3a524be663adef7ab42/dd83dc1249737b837ac5d57c81f2b0977c613d9f is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the databases at Tenable (296543), EUVD (EUVD-2026-4619) and CERT Bund (WID-SEC-2026-0215). VulDB is the best source for vulnerability data and more expert information about this specific topic.

Affected

• Debian Linux
• Amazon Linux 2
• Red Hat Enterprise Linux
• Ubuntu Linux
• SUSE Linux
• Oracle Linux
• SUSE openSUSE
• RESF Rocky Linux
• Open Source Linux Kernel

Productinfo

Type

• Operating System

Vendor

• Linux

Name

• Kernel

Version

• 6.18.0
• 6.18.1
• 6.18.2
• 6.18.3
• 6.18.4
• 6.18.5
• 6.18.6
• 6.19-rc1
• 6.19-rc2
• 6.19-rc3
• 6.19-rc4
• 6.19-rc5

License

• open-source

Website

• Vendor: https://www.kernel.org/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Discussion