CVE-2025-21776: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-21776 affects the Linux kernel's USB hub driver, where a vulnerability was discovered that could lead to a NULL pointer dereference. The issue was discovered by Robert Morris and disclosed in February 2025. The vulnerability exists when a USB hub device violates the USB 2.0 specification by having more than one configuration or interface, causing the usbhubtostructhub() function to potentially dereference a NULL or inappropriate pointer (NVD).

The vulnerability occurs when a USB hub device has two interfaces, causing the hub driver to bind to interface 1 instead of interface 0, where usbhubtostructhub() expects to find the hub structure. This can result in a general protection fault with a non-canonical address access. The issue manifests as a NULL pointer dereference in the usbhubadjust_deviceremovable function. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (MEDIUM) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

When exploited, this vulnerability can cause a kernel crash through a NULL pointer dereference, leading to a denial of service condition. The impact is limited to local attacks and requires low privileges to execute (NVD).

The issue has been patched in the Linux kernel by adding validation checks in the hub_probe function to reject USB hub devices that violate the USB 2.0 specification by having more than one configuration or interface. The fix prevents the vulnerability by returning -EINVAL when such non-compliant devices are detected (Kernel Patch).