CVE-2026-23009

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description The Linux kernel contains a flaw within the xhci sideband endpoint removal process. Specifically, the xhci sideband remove endpoint() function incorrectly assumes the endpoint is running and possesses a valid transfer ring. This can lead to a crash when dereferencing a non-existent transfer ring (ep->ring) during suspend/wake-up stress testing or device re-enumeration. The issue arises from potential access to the ring after the xHCI has been reinitialized or the device disconnected. The fix involves removing unnecessary ring access and verifying the ring's existence before dereferencing it, as well as ensuring the endpoint is running before attempting to stop it. The xhci initialize ring info() call during sideband endpoint removal has been removed.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.