CVE-2025-37882

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: xhci: Fix isochronous Ring Underrun/Overrun event handling<br /> <br /> The TRB pointer of these events points at enqueue at the time of error<br /> occurrence on xHCI 1.1+ HCs or it&amp;#39;s NULL on older ones. By the time we<br /> are handling the event, a new TD may be queued at this ring position.<br /> <br /> I can trigger this race by rising interrupt moderation to increase IRQ<br /> handling delay. Similar delay may occur naturally due to system load.<br /> <br /> If this ever happens after a Missed Service Error, missed TDs will be<br /> skipped and the new TD processed as if it matched the event. It could<br /> be given back prematurely, risking data loss or buffer UAF by the xHC.<br /> <br /> Don&amp;#39;t complete TDs on xrun events and don&amp;#39;t warn if queued TDs don&amp;#39;t<br /> match the event&amp;#39;s TRB pointer, which can be NULL or a link/no-op TRB.<br /> Don&amp;#39;t warn if there are no queued TDs at all.<br /> <br /> Now that it&amp;#39;s safe, also handle xrun events if the skip flag is clear.<br /> This ensures completion of any TD stuck in &amp;#39;error mid TD&amp;#39; state right<br /> before the xrun event, which could happen if a driver submits a finite<br /> number of URBs to a buggy HC and then an error occurs on the last TD.