Michal Pecio

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A NULL pointer dereference issue has been identified in the Linux kernel's xhci (USB) handling. This issue occurs when a command is queued to the final usable TRB of a ring segment and is later aborted. The `xhci handle stopped cmd ring()` function may incorrectly assume a pending command and attempt to set up a timer, leading to a crash if `cur cmd` is NULL. The issue has been independently reproduced using a USB MCU programmed to NAK the Status stage of SET ADDRESS forever and has been confirmed fixed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the xHCI driver in the Linux kernel, which incorrectly handles isoc Babble and Buffer Overrun events. Specifically, when the xHC reports an error on one of the early TRBs, the driver assumes that the xHC has released its ownership of the multi-TRB TD and releases the TD, allowing the remaining TRBs to be freed or overwritten by new TDs. This can result in a "Transfer event TRB DMA ptr not part of current TD" error message. The issue is resolved by reusing the logic for processing isoc Transaction Errors, which also handles hosts that fail to report the final completion. Additionally, the transfer length reporting on Babble errors is fixed, as these errors may be caused by device malfunction and there is no guarantee that the buffer has been filled. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.