Alan Stern

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A race condition in the USB gadget UVC (USB Video Class) component can lead to a NULL pointer dereference. During power management transitions, the `wait event interruptible timeout()` function may be aborted early when the system freezes user space processes. This allows the unbind thread to nullify the `cdev->gadget` pointer. When the system resumes or aborts the suspend process and tasks restart, the V4L2 release path attempts to access this nullified pointer via the `uvc function disconnect()` function, resulting in a kernel panic. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.37 **Description** The issue is related to a reference leak in the `sysfs break active protection()` routine. When the call to `kernfs find and get()` fails, `kn` will be NULL, and the companion `sysfs unbreak active protection()` routine won't get called, resulting in an unreleased reference to `kobj`. This leak can be fixed by adding an explicit `kobject put()` call when `kn` is NULL. The vulnerability may allow an attacker to access confidential information. **Recommendations** To resolve the issue, update to Linux kernel version 6.6.37 or later. As a temporary workaround, consider restricting access to the `sysfs break active protection()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a deadlock in the port "disable" sysfs attribute in the Linux kernel's USB core. The show and store callback routines for the "disable" sysfs attribute file in port.c acquire the device lock for the port's parent hub device, which can cause problems if another process has locked the hub to remove it or change its configuration. This can lead to a deadlock situation where the lock cannot be released until the callback routines return, but the callback routines cannot return until after they have acquired the lock. The deadlock can be avoided by calling sysfs break active protection(), but this call has the disadvantage that there is no guarantee that the hub structure won't be deallocated at any moment. To prevent this, a reference to the hub structure must be acquired first by calling hub get(). **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.