CVE-2025-39801

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description This issue addresses a rarely observed endpoint command timeout in the dwc3 USB controller, which can cause a kernel panic when 'panic on warn' is enabled or unnecessary call trace prints when 'panic on warn' is disabled. This was observed during fast software-controlled connect/disconnect testcases, specifically on Exynos platforms where control transfers from a previous connect were not completed before a disconnect sequence was initiated, leading to timeouts when processing USB ENDPOINT HALT feature requests. The vulnerability occurs during the processing of device endpoint commands. The affected functions include dwc3 thread interrupt, dwc3 ep0 interrupt, configfs composite setup, composite setup, usb ep queue, dwc3 gadget ep0 queue, dwc3 gadget ep0 queue, dwc3 ep0 do control data, dwc3 send gadget ep cmd, and dwc3 ep0 reset state.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.