NULL pointer dereference in Linux kernel usb dwc3 driver

Published: 2024-05-31

Risk	Low
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2021-47220
CWE-ID	CWE-476
Exploitation vector	Local
Public exploit	N/A
Vulnerable software	Linux kernel Operating systems & Components / Operating system
Vendor	Linux Foundation

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) NULL pointer dereference

EUVDB-ID: #VU90462

Risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-47220

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the dwc3_remove() function in drivers/usb/dwc3/core.c. A local user can perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Linux kernel: All versions

CPE2.3

cpe:2.3:o:linux_foundation:linux_kernel:*:*:*:*:*:*:*:*

External links

https://git.kernel.org/stable/c/ff4c63f3e8cb7af2ce51cc56b031e08fd23c758b
https://git.kernel.org/stable/c/58b5e02c6ca0e2b7c87cd8023ff786ef3c0eef74
https://git.kernel.org/stable/c/7f9745ab342bcce5efd5d4d2297d0a3dd9db0eac
https://git.kernel.org/stable/c/fd7c4bd582494934be15d41aebe0dbe23790605f
https://git.kernel.org/stable/c/174c27583b3807ac96228c442735b02622d8d1c3
https://git.kernel.org/stable/c/fa8c413e6b74ae5d12daf911c73238c5bdacd8e6
https://git.kernel.org/stable/c/4bf584a03eec674975ee9fe36c8583d9d470dab1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.