Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

CVE-2026-45911

Gravedad CVSS v3.1:
MEDIA
Tipo:
CWE-476 Desreferencia a puntero nulo (NULL)
Fecha de publicación:
27/05/2026
Última modificación:
24/06/2026

Descripción

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: cdns3: fix role switching during resume<br /> <br /> If the role change while we are suspended, the cdns3 driver switches to the<br /> new mode during resume. However, switching to host mode in this context<br /> causes a NULL pointer dereference.<br /> <br /> The host role&amp;#39;s start() operation registers a xhci-hcd device, but its<br /> probe is deferred while we are in the resume path. The host role&amp;#39;s resume()<br /> operation assumes the xhci-hcd device is already probed, which is not the<br /> case, leading to the dereference. Since the start() operation of the new<br /> role is already called, the resume operation can be skipped.<br /> <br /> So skip the resume operation for the new role if a role switch occurs<br /> during resume. Once the resume sequence is complete, the xhci-hcd device<br /> can be probed in case of host mode.<br /> <br /> Unable to handle kernel NULL pointer dereference at virtual address 0000000000000208<br /> Mem abort info:<br /> ...<br /> Data abort info:<br /> ...<br /> [0000000000000208] pgd=0000000000000000, p4d=0000000000000000<br /> Internal error: Oops: 0000000096000004 [#1] SMP<br /> Modules linked in:<br /> CPU: 0 UID: 0 PID: 146 Comm: sh Not tainted<br /> 6.19.0-rc7-00013-g6e64f4aabfae-dirty #135 PREEMPT<br /> Hardware name: Texas Instruments J7200 EVM (DT)<br /> pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : usb_hcd_is_primary_hcd+0x0/0x1c<br /> lr : cdns_host_resume+0x24/0x5c<br /> ...<br /> Call trace:<br /> usb_hcd_is_primary_hcd+0x0/0x1c (P)<br /> cdns_resume+0x6c/0xbc<br /> cdns3_controller_resume.isra.0+0xe8/0x17c<br /> cdns3_plat_resume+0x18/0x24<br /> platform_pm_resume+0x2c/0x68<br /> dpm_run_callback+0x90/0x248<br /> device_resume+0x100/0x24c<br /> dpm_resume+0x190/0x2ec<br /> dpm_resume_end+0x18/0x34<br /> suspend_devices_and_enter+0x2b0/0xa44<br /> pm_suspend+0x16c/0x5fc<br /> state_store+0x80/0xec<br /> kobj_attr_store+0x18/0x2c<br /> sysfs_kf_write+0x7c/0x94<br /> kernfs_fop_write_iter+0x130/0x1dc<br /> vfs_write+0x240/0x370<br /> ksys_write+0x70/0x108<br /> __arm64_sys_write+0x1c/0x28<br /> invoke_syscall+0x48/0x10c<br /> el0_svc_common.constprop.0+0x40/0xe0<br /> do_el0_svc+0x1c/0x28<br /> el0_svc+0x34/0x108<br /> el0t_64_sync_handler+0xa0/0xe4<br /> el0t_64_sync+0x198/0x19c<br /> Code: 52800003 f9407ca5 d63f00a0 17ffffe4 (f9410401)<br /> ---[ end trace 0000000000000000 ]---

Productos y versiones vulnerables

CPE Desde Hasta
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.13 (incluyendo) 5.15.203 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (incluyendo) 6.1.167 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (incluyendo) 6.6.130 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (incluyendo) 6.12.77 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (incluyendo) 6.18.14 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.19 (incluyendo) 6.19.4 (excluyendo)