{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-03T04:59:58.457","vulnerabilities":[{"cve":{"id":"CVE-2026-23009","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-01-25T15:15:55.767","lastModified":"2026-03-25T19:53:47.933","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nxhci: sideband: don't dereference freed ring when removing sideband endpoint\n\nxhci_sideband_remove_endpoint() incorrecly assumes that the endpoint is\nrunning and has a valid transfer ring.\n\nLianqin reported a crash during suspend/wake-up stress testing, and\nfound the cause to be dereferencing a non-existing transfer ring\n'ep->ring' during xhci_sideband_remove_endpoint().\n\nThe endpoint and its ring may be in unknown state if this function\nis called after xHCI was reinitialized in resume (lost power), or if\ndevice is being re-enumerated, disconnected or endpoint already dropped.\n\nFix this by both removing unnecessary ring access, and by checking\nep->ring exists before dereferencing it. Also make sure endpoint is\nrunning before attempting to stop it.\n\nRemove the xhci_initialize_ring_info() call during sideband endpoint\nremoval as is it only initializes ring structure enqueue, dequeue and\ncycle state values to their starting values without changing actual\nhardware enqueue, dequeue and cycle state. Leaving them out of sync\nis worse than leaving it as it is. The endpoint will get freed in after\nthis in most usecases.\n\nIf the (audio) class driver want's to reuse the endpoint after offload\nthen it is up to the class driver to ensure endpoint is properly set up."},{"lang":"es","value":"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nxhci: banda lateral: no desreferenciar el anillo liberado al eliminar el punto final de banda lateral\n\nxhci_sideband_remove_endpoint() asume incorrectamente que el punto final está en ejecución y tiene un anillo de transferencia válido.\n\nLianqin informó de un fallo durante las pruebas de estrés de suspensión/activación, y encontró que la causa era la desreferenciación de un anillo de transferencia inexistente 'ep->ring' durante xhci_sideband_remove_endpoint().\n\nEl punto final y su anillo pueden estar en un estado desconocido si esta función se llama después de que xHCI fuera reinicializado en la reanudación (pérdida de energía), o si el dispositivo está siendo reenumerado, desconectado o el punto final ya ha sido descartado.\n\nSolucione esto eliminando el acceso innecesario al anillo y comprobando que 'ep->ring' existe antes de desreferenciarlo. También asegúrese de que el punto final esté en ejecución antes de intentar detenerlo.\n\nElimine la llamada a xhci_initialize_ring_info() durante la eliminación del punto final de banda lateral, ya que solo inicializa los valores de estado de encolamiento, desencolamiento y ciclo de la estructura del anillo a sus valores iniciales sin cambiar el estado real de encolamiento, desencolamiento y ciclo del hardware. Dejarlos fuera de sincronización es peor que dejarlo como está. El punto final será liberado después de esto en la mayoría de los casos de uso.\n\nSi el controlador de clase (de audio) desea reutilizar el punto final después de la descarga, entonces es responsabilidad del controlador de clase asegurar que el punto final esté configurado correctamente."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.16.1","versionEndExcluding":"6.18.7","matchCriteriaId":"93EB4FA7-6AD6-4923-B7A8-9F5B3940F93F"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.16:-:*:*:*:*:*:*","matchCriteriaId":"6238B17D-C12B-458F-A138-97039BFC4595"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*","matchCriteriaId":"17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*","matchCriteriaId":"C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*","matchCriteriaId":"F71D92C0-C023-48BD-B3B6-70B638EEE298"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*","matchCriteriaId":"13580667-0A98-40CC-B29F-D12790B91BDB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*","matchCriteriaId":"CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*","matchCriteriaId":"3EF854A1-ABB1-4E93-BE9A-44569EC76C0D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*","matchCriteriaId":"F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*","matchCriteriaId":"EB5B7DFC-C36B-45D8-922C-877569FDDF43"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/34f6634dba87ef72b3c3a3a524be663adef7ab42","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/dd83dc1249737b837ac5d57c81f2b0977c613d9f","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}}]}