Linux Kernel dwc3 Remove Requests Race Condition Causing USB Crash
CVE-2025-68287 Published on December 16, 2025
usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths
In the Linux kernel, the following vulnerability has been resolved:
usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths
This patch addresses a race condition caused by unsynchronized
execution of multiple call paths invoking `dwc3_remove_requests()`,
leading to premature freeing of USB requests and subsequent crashes.
Three distinct execution paths interact with `dwc3_remove_requests()`:
Path 1:
Triggered via `dwc3_gadget_reset_interrupt()` during USB reset
handling. The call stack includes:
- `dwc3_ep0_reset_state()`
- `dwc3_ep0_stall_and_restart()`
- `dwc3_ep0_out_start()`
- `dwc3_remove_requests()`
- `dwc3_gadget_del_and_unmap_request()`
Path 2:
Also initiated from `dwc3_gadget_reset_interrupt()`, but through
`dwc3_stop_active_transfers()`. The call stack includes:
- `dwc3_stop_active_transfers()`
- `dwc3_remove_requests()`
- `dwc3_gadget_del_and_unmap_request()`
Path 3:
Occurs independently during `adb root` execution, which triggers
USB function unbind and bind operations. The sequence includes:
- `gserial_disconnect()`
- `usb_ep_disable()`
- `dwc3_gadget_ep_disable()`
- `dwc3_remove_requests()` with `-ESHUTDOWN` status
Path 3 operates asynchronously and lacks synchronization with Paths
1 and 2. When Path 3 completes, it disables endpoints and frees 'out'
requests. If Paths 1 or 2 are still processing these requests,
accessing freed memory leads to a crash due to use-after-free conditions.
To fix this added check for request completion and skip processing
if already completed and added the request status for ep0 while queue.
Products Associated with CVE-2025-68287
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version 72246da40f3719af3bfd104a2365b32537c27d83 and below 467add9db13219101f14b6cc5477998b4aaa5fe2 is affected.
- Version 72246da40f3719af3bfd104a2365b32537c27d83 and below 67192e8cb7f941b5bba91e4bb290683576ce1607 is affected.
- Version 72246da40f3719af3bfd104a2365b32537c27d83 and below 47de14d741cc4057046c9e2f33df1f7828254e6c is affected.
- Version 72246da40f3719af3bfd104a2365b32537c27d83 and below afc0e34f161ce61ad351303c46eb57bd44b8b090 is affected.
- Version 72246da40f3719af3bfd104a2365b32537c27d83 and below 7cfb62888eba292fa35cd9ddbd28ce595f60e139 is affected.
- Version 72246da40f3719af3bfd104a2365b32537c27d83 and below fa5eaf701e576880070b60922200557ae4aa54e1 is affected.
- Version 72246da40f3719af3bfd104a2365b32537c27d83 and below e4037689a366743c4233966f0e74bc455820d316 is affected.
- Version 3.2 is affected.
- Before 3.2 is unaffected.
- Version 5.10.247, <= 5.10.* is unaffected.
- Version 5.15.197, <= 5.15.* is unaffected.
- Version 6.1.159, <= 6.1.* is unaffected.
- Version 6.6.119, <= 6.6.* is unaffected.
- Version 6.12.61, <= 6.12.* is unaffected.
- Version 6.17.11, <= 6.17.* is unaffected.
- Version 6.18, <= * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.