Bug 2419851 (CVE-2025-40314) - CVE-2025-40314 kernel: usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget
Summary: CVE-2025-40314 kernel: usb: cdns3: gadget: Use-after-free during failed initi...
Keywords:
Status: NEW
Alias: CVE-2025-40314
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-12-08 07:03 UTC by OSIDB Bzimport
Modified: 2025-12-10 10:12 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-12-08 07:03:24 UTC 
In the Linux kernel, the following vulnerability has been resolved:

usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget

In the __cdnsp_gadget_init() and cdnsp_gadget_exit() functions, the gadget
structure (pdev->gadget) was freed before its endpoints.
The endpoints are linked via the ep_list in the gadget structure.
Freeing the gadget first leaves dangling pointers in the endpoint list.
When the endpoints are subsequently freed, this results in a use-after-free.

Fix:
By separating the usb_del_gadget_udc() operation into distinct "del" and
"put" steps, cdnsp_gadget_free_endpoints() can be executed prior to the
final release of the gadget structure with usb_put_gadget().

A patch similar to bb9c74a5bd14("usb: dwc3: gadget: Free gadget structure
 only after freeing endpoints").
Comment 1 Alexander B 2025-12-10 10:08:30 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025120822-CVE-2025-40314-1dcb@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.