Mathias Nyman

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a null pointer dereference in the Linux kernel's xhci component. This occurs when the `xhci free dev()` and `xhci kill endpoint urbs()` functions race and cause a null pointer dereference when the host suddenly dies. The USB core may call `xhci free dev()`, which frees the `xhci->devs[slot id]` virt device, at the same time that `xhci kill endpoint urbs()` tries to loop through all the device's endpoints, checking for any cancelled urbs left to give back. To fix this, the xhci spinlock is held while freeing the virt device. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the xhci component in the Linux kernel, where a NULL pointer dereference can occur when the host controller is not responding, causing a kernel panic. This happens when all URBs queued to all endpoints need to be killed, and an invalid endpoint is dereferenced. The fix involves using the xhci get virt ep() helper to find the endpoint and checking its validity before dereferencing. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.