CVE-2026-45911
Severity CVSS v4.0:
Pending analysis
Type:
CWE-476
NULL Pointer Dereference
Publication date:
27/05/2026
Last modified:
24/06/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
usb: cdns3: fix role switching during resume<br />
<br />
If the role change while we are suspended, the cdns3 driver switches to the<br />
new mode during resume. However, switching to host mode in this context<br />
causes a NULL pointer dereference.<br />
<br />
The host role&#39;s start() operation registers a xhci-hcd device, but its<br />
probe is deferred while we are in the resume path. The host role&#39;s resume()<br />
operation assumes the xhci-hcd device is already probed, which is not the<br />
case, leading to the dereference. Since the start() operation of the new<br />
role is already called, the resume operation can be skipped.<br />
<br />
So skip the resume operation for the new role if a role switch occurs<br />
during resume. Once the resume sequence is complete, the xhci-hcd device<br />
can be probed in case of host mode.<br />
<br />
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000208<br />
Mem abort info:<br />
...<br />
Data abort info:<br />
...<br />
[0000000000000208] pgd=0000000000000000, p4d=0000000000000000<br />
Internal error: Oops: 0000000096000004 [#1] SMP<br />
Modules linked in:<br />
CPU: 0 UID: 0 PID: 146 Comm: sh Not tainted<br />
6.19.0-rc7-00013-g6e64f4aabfae-dirty #135 PREEMPT<br />
Hardware name: Texas Instruments J7200 EVM (DT)<br />
pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br />
pc : usb_hcd_is_primary_hcd+0x0/0x1c<br />
lr : cdns_host_resume+0x24/0x5c<br />
...<br />
Call trace:<br />
usb_hcd_is_primary_hcd+0x0/0x1c (P)<br />
cdns_resume+0x6c/0xbc<br />
cdns3_controller_resume.isra.0+0xe8/0x17c<br />
cdns3_plat_resume+0x18/0x24<br />
platform_pm_resume+0x2c/0x68<br />
dpm_run_callback+0x90/0x248<br />
device_resume+0x100/0x24c<br />
dpm_resume+0x190/0x2ec<br />
dpm_resume_end+0x18/0x34<br />
suspend_devices_and_enter+0x2b0/0xa44<br />
pm_suspend+0x16c/0x5fc<br />
state_store+0x80/0xec<br />
kobj_attr_store+0x18/0x2c<br />
sysfs_kf_write+0x7c/0x94<br />
kernfs_fop_write_iter+0x130/0x1dc<br />
vfs_write+0x240/0x370<br />
ksys_write+0x70/0x108<br />
__arm64_sys_write+0x1c/0x28<br />
invoke_syscall+0x48/0x10c<br />
el0_svc_common.constprop.0+0x40/0xe0<br />
do_el0_svc+0x1c/0x28<br />
el0_svc+0x34/0x108<br />
el0t_64_sync_handler+0xa0/0xe4<br />
el0t_64_sync+0x198/0x19c<br />
Code: 52800003 f9407ca5 d63f00a0 17ffffe4 (f9410401)<br />
---[ end trace 0000000000000000 ]---
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.13 (including) | 5.15.203 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.167 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.130 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.12.77 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.18.14 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (including) | 6.19.4 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/49c99dc247ebf7361db9dbdade3dcebfffaf2c22
- https://git.kernel.org/stable/c/56289298431ed76700b9aac27a3b1d929fe61b8d
- https://git.kernel.org/stable/c/87e4b043b98a1d269be0b812f383881abee0ca45
- https://git.kernel.org/stable/c/94c742614899ff18a6b3e6f3cfbe7b9f36c865f3
- https://git.kernel.org/stable/c/d637f6ec149ffd2f8257bcc261561dc2e44dbb8c
- https://git.kernel.org/stable/c/fc086c0ce3db0eefbbeb66a5b1e626296336e33a
- https://git.kernel.org/stable/c/ff02bd303d2d78051771db51119d66c0cf442f47



