CVE-2021-47273: 
Linux Debian vulnerability analysis and mitigation

CVE-2021-47273 is a vulnerability in the Linux kernel affecting the USB DWC3 Meson G12A driver. The issue was discovered and disclosed on May 21, 2024, affecting Linux kernel versions from 5.8 through 5.10.44, 5.11 through 5.12.11, and 5.13-rc1 through 5.13-rc5. The vulnerability occurs when only PHY1 is used (for example on Odroid-HC4), where the regmap initialization code incorrectly handles USB2 ports initialization when PHY0 is disabled (NVD).

The vulnerability is classified as a NULL Pointer Dereference (CWE-476) issue. When attempting to initialize the USB2 PHY glue when PHY0 is disabled, the code attempts to access memory at virtual address 0x20, resulting in a kernel NULL pointer dereference. The vulnerability has a CVSS v3.1 Base Score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can lead to a kernel NULL pointer dereference, which typically results in a system crash or denial of service condition. This affects systems using the DWC3 Meson G12A USB driver, particularly when configured with specific PHY settings (NVD).

The vulnerability has been patched in the Linux kernel. The fix involves modifying the USB2 PHY glue initialization code to properly handle cases where PHY0 is disabled. The patch changes the initialization loop to check for USB2 PHY devices specifically and skip non-USB2 PHY entries (Kernel Patch).