{"id":"CVE-2024-45006","summary":"xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nxhci: Fix Panther point NULL pointer deref at full-speed re-enumeration\n\nre-enumerating full-speed devices after a failed address device command\ncan trigger a NULL pointer dereference.\n\nFull-speed devices may need to reconfigure the endpoint 0 Max Packet Size\nvalue during enumeration. Usb core calls usb_ep0_reinit() in this case,\nwhich ends up calling xhci_configure_endpoint().\n\nOn Panther point xHC the xhci_configure_endpoint() function will\nadditionally check and reserve bandwidth in software. Other hosts do\nthis in hardware\n\nIf xHC address device command fails then a new xhci_virt_device structure\nis allocated as part of re-enabling the slot, but the bandwidth table\npointers are not set up properly here.\nThis triggers the NULL pointer dereference the next time usb_ep0_reinit()\nis called and xhci_configure_endpoint() tries to check and reserve\nbandwidth\n\n[46710.713538] usb 3-1: new full-speed USB device number 5 using xhci_hcd\n[46710.713699] usb 3-1: Device not responding to setup address.\n[46710.917684] usb 3-1: Device not responding to setup address.\n[46711.125536] usb 3-1: device not accepting address 5, error -71\n[46711.125594] BUG: kernel NULL pointer dereference, address: 0000000000000008\n[46711.125600] #PF: supervisor read access in kernel mode\n[46711.125603] #PF: error_code(0x0000) - not-present page\n[46711.125606] PGD 0 P4D 0\n[46711.125610] Oops: Oops: 0000 [#1] PREEMPT SMP PTI\n[46711.125615] CPU: 1 PID: 25760 Comm: kworker/1:2 Not tainted 6.10.3_2 #1\n[46711.125620] Hardware name: Gigabyte Technology Co., Ltd.\n[46711.125623] Workqueue: usb_hub_wq hub_event [usbcore]\n[46711.125668] RIP: 0010:xhci_reserve_bandwidth (drivers/usb/host/xhci.c\n\nFix this by making sure bandwidth table pointers are set up correctly\nafter a failed address device command, and additionally by avoiding\nchecking for bandwidth in cases like this where no actual endpoints are\nadded or removed, i.e. only context for default control endpoint 0 is\nevaluated.","modified":"2026-04-16T00:06:43.284896830Z","published":"2024-09-04T19:54:48.353Z","related":["SUSE-SU-2024:3551-1","SUSE-SU-2024:3553-1","SUSE-SU-2024:3561-1","SUSE-SU-2024:3564-1","SUSE-SU-2024:3569-1","SUSE-SU-2024:3587-1","SUSE-SU-2024:3592-1","SUSE-SU-2025:20073-1","SUSE-SU-2025:20077-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/45xxx/CVE-2024-45006.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0f0654318e25b2c185e245ba4a591e42fabb5e59"},{"type":"WEB","url":"https://git.kernel.org/stable/c/365ef7c4277fdd781a695c3553fa157d622d805d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5ad898ae82412f8a689d59829804bff2999dd0ea"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6b99de301d78e1f5249e57ef2c32e1dec3df2bb1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8fb9d412ebe2f245f13481e4624b40e651570cbd"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a57b0ebabe6862dce0a2e0f13e17941ad72fc56b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/af8e119f52e9c13e556be9e03f27957554a84656"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ef0a0e616b2789bb804a0ce5e161db03170a85b6"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/45xxx/CVE-2024-45006.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45006"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"651aaf36a7d7b36a58980e70133f9437d4f6d312"},{"fixed":"ef0a0e616b2789bb804a0ce5e161db03170a85b6"},{"fixed":"a57b0ebabe6862dce0a2e0f13e17941ad72fc56b"},{"fixed":"0f0654318e25b2c185e245ba4a591e42fabb5e59"},{"fixed":"365ef7c4277fdd781a695c3553fa157d622d805d"},{"fixed":"5ad898ae82412f8a689d59829804bff2999dd0ea"},{"fixed":"6b99de301d78e1f5249e57ef2c32e1dec3df2bb1"},{"fixed":"8fb9d412ebe2f245f13481e4624b40e651570cbd"},{"fixed":"af8e119f52e9c13e556be9e03f27957554a84656"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-45006.json"}}],"schema_version":"1.7.5"}