CVE-2025-22023: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-22023 is a vulnerability discovered in the Linux kernel's USB XHCI driver, specifically related to handling of isochronous Transfer Descriptors (TDs) during Stopped - Length Invalid events. The issue was identified in April 2025 and affects Linux kernel versions from the 3.x series up until v6.11 (NVD, Debian Tracker).

The vulnerability stems from the driver's handling of missed isochronous TDs during Stoppend and Stopped - Length Invalid events. Prior to commit d56b0b2ab142, the driver erroneously cleared the skip flag instead of skipping missed TDs, causing the ring to get stuck as future events wouldn't match the missed TD that remained in the queue until cancelled. After the commit, while TDs were immediately skipped during Stopped events, this created a potential issue with Stopped - Length Invalid events, where completed TDs or Link and No-Op TRBs could result in skipping all pending TDs prematurely. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) (Red Hat).

The vulnerability can lead to isochronous data loss and potentially Use-After-Free (UAF) conditions by hardware. When a TD is cancelled, its actual length may not be updated to account for TRBs that were silently completed before the TD was stopped (NVD).

As a mitigation, the patch implements a compromise where the skip flag is neither skipped nor cleared on Stopped - Length Invalid events, allowing the next event to handle missed TDs. A more comprehensive fix involving the examination of Stopped event's TRB pointer for skipping decisions is planned but unlikely to be backported to v6.12 (Debian Tracker).