Karel Balej

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.50 **Description** A NULL pointer dereference vulnerability has been resolved in the Linux kernel. The issue occurs when re-enumerating full-speed devices after a failed address device command, which can trigger a NULL pointer dereference. This happens because the `xhci configure endpoint()` function checks and reserves bandwidth in software on Panther point xHC, but the bandwidth table pointers are not set up properly after a failed address device command. The `usb ep0 reinit()` function calls `xhci configure endpoint()`, leading to the NULL pointer dereference. To fix this, the bandwidth table pointers need to be set up correctly after a failed address device command, and checking for bandwidth should be avoided in cases where no actual endpoints are added or removed. **Recommendations** Update to Linux kernel version 6.6.50 or later to resolve the vulnerability. As a temporary workaround, consider disabling the `xhci configure endpoint()` function until a patch is available. Restrict access to the `usb ep0 reinit()` function to minimize the risk of exploitation. Avoid using the `xhci reserve bandwidth()` function in the affected API endpoint until the issue is resolved.