CVE-2021-47269

Name of the Vulnerable Software and Affected Versions Linux kernel version 4.19.124

Description The issue is related to a NULL pointer exception in the Linux kernel's USB driver, specifically in the dwc3 module. There is no validation of the index from dwc3 wIndex to dep(), which can lead to referring to a non-existing endpoint and triggering a NULL pointer exception. This can occur in certain configurations where fewer endpoints are used, and the index might wrongly indicate a larger endpoint index than existing. The patch adds validation to report a wrong index back to the caller.

Recommendations To resolve the issue, update the Linux kernel to a version that includes the fix for the NULL pointer exception in the dwc3 module. As a temporary workaround, consider disabling the dwc3 ep0 handle feature() function until a patch is available. Restrict access to the dwc3 module to minimize the risk of exploitation. Avoid using the dwc3 wIndex to dep() function in the affected API endpoint until the issue is resolved.