CVE-2021-38204: 
Linux Kernel vulnerability analysis and mitigation

CVE-2021-38204 is a vulnerability discovered in the MAX-3421 host USB device driver in the Linux kernel before version 5.13.6. The vulnerability allows physically proximate attackers to cause a denial of service through use-after-free and system panic conditions by removing a MAX-3421 USB device in certain situations (Ubuntu Security, NVD).

The vulnerability stems from improper handling of device removal events in the MAX-3421 USB driver. The driver was remembering the state of USB toggles for a device/endpoint and only updating them when a new device/endpoint was being used. If the old device was removed, this would cause writes to freed memory, leading to memory corruption (Linux Commit). The issue has been assigned a CVSS 3 Severity Score of 6.8 (Medium) (Ubuntu Security).

When exploited, this vulnerability can result in a denial of service condition through system crashes. The attack requires physical access to the system and can only be triggered by removing a MAX-3421 USB device at specific times during operation (NVD).

The issue has been fixed in Linux kernel version 5.13.6 with a patch that changes how USB toggles are handled. The fix implements a simpler scheme where toggles are read from hardware when a URB is completed and written to hardware when any URB transaction is started. While this causes more SPI transactions, it prevents kernel panics (Linux Commit). Various Linux distributions have backported the fix to their supported kernel versions (Ubuntu Security).