CVE-2025-22023

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.11

Description A vulnerability in the Linux kernel's xhci driver has been resolved. The issue occurred when handling Stoppend and Stopped - Length Invalid events, where the driver did not skip missed isochronous TDs, causing the ring to get stuck. This buggy logic has been in place since the 3.x series, over 10 years ago. After the commit d56b0b2ab142 in v6.11, TDs are immediately skipped when handling Stopped events, posing a potential problem in case of Stopped - Length Invalid. This event can occur on completed TDs or Link and No-Op TRBs, resulting in skipping all pending TDs, potentially causing isoc data loss and UAF by HW. The estimated number of potentially affected devices worldwide is not available.

Recommendations For Linux kernel versions prior to 6.11, consider updating to version 6.11 or later to resolve the issue. As a temporary workaround, do not skip and do not clear the skip flag on Stopped - Length Invalid events, allowing the next event to skip missed TDs. Restrict access to the vulnerable xhci driver to minimize the risk of exploitation. Avoid using the TRB pointer in the affected API endpoint until the issue is resolved. At the moment, there is no information about additional mitigation measures.