Linux Kernel xhci NULL Poin Deref via portli debugfs
CVE-2026-43431 Published on May 8, 2026
xhci: Fix NULL pointer dereference when reading portli debugfs files
In the Linux kernel, the following vulnerability has been resolved:
xhci: Fix NULL pointer dereference when reading portli debugfs files
Michal reported and debgged a NULL pointer dereference bug in the
recently added portli debugfs files
Oops is caused when there are more port registers counted in
xhci->max_ports than ports reported by Supported Protocol capabilities.
This is possible if max_ports is more than maximum port number, or
if there are gaps between ports of different speeds the 'Supported
Protocol' capabilities.
In such cases port->rhub will be NULL so we can't reach xhci behind it.
Add an explicit NULL check for this case, and print portli in hex
without dereferencing port->rhub.
Products Associated with CVE-2026-43431
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version 384c57ec720597f8104f69082cdd261abb998b80 and below 9c8bef223c6e991276188d30d74bdb2cbd8be652 is affected.
- Version 384c57ec720597f8104f69082cdd261abb998b80 and below ae4ff9dead5efa2025eddfcdb29411432bf40a7c is affected.
- Version 6.19 is affected.
- Before 6.19 is unaffected.
- Version 6.19.9, <= 6.19.* is unaffected.
- Version 7.0, <= * is unaffected.