{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2021-47267", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-05-21T13:27:52.127Z", "datePublished": "2024-05-21T14:19:57.894Z", "dateUpdated": "2025-05-21T08:31:41.486Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-21T08:31:41.486Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: fix various gadget panics on 10gbps cabling\n\nusb_assign_descriptors() is called with 5 parameters,\nthe last 4 of which are the usb_descriptor_header for:\n  full-speed (USB1.1 - 12Mbps [including USB1.0 low-speed @ 1.5Mbps),\n  high-speed (USB2.0 - 480Mbps),\n  super-speed (USB3.0 - 5Gbps),\n  super-speed-plus (USB3.1 - 10Gbps).\n\nThe differences between full/high/super-speed descriptors are usually\nsubstantial (due to changes in the maximum usb block size from 64 to 512\nto 1024 bytes and other differences in the specs), while the difference\nbetween 5 and 10Gbps descriptors may be as little as nothing\n(in many cases the same tuning is simply good enough).\n\nHowever if a gadget driver calls usb_assign_descriptors() with\na NULL descriptor for super-speed-plus and is then used on a max 10gbps\nconfiguration, the kernel will crash with a null pointer dereference,\nwhen a 10gbps capable device port + cable + host port combination shows up.\n(This wouldn't happen if the gadget max-speed was set to 5gbps, but\nit of course defaults to the maximum, and there's no real reason to\nartificially limit it)\n\nThe fix is to simply use the 5gbps descriptor as the 10gbps descriptor,\nif a 10gbps descriptor wasn't provided.\n\nObviously this won't fix the problem if the 5gbps descriptor is also\nNULL, but such cases can't be so trivially solved (and any such gadgets\nare unlikely to be used with USB3 ports any way)."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/usb/gadget/config.c"], "versions": [{"version": "10287baec761d33f0a82d84b46e37a44030350d8", "lessThan": "fd24be23abf3e94260be0f00bb42c7e91d495f87", "status": "affected", "versionType": "git"}, {"version": "10287baec761d33f0a82d84b46e37a44030350d8", "lessThan": "70cd19cb5bd94bbb5bacfc9c1e4ee0071699a604", "status": "affected", "versionType": "git"}, {"version": "10287baec761d33f0a82d84b46e37a44030350d8", "lessThan": "45f9a2fe737dc0a5df270787f2231aee8985cd59", "status": "affected", "versionType": "git"}, {"version": "10287baec761d33f0a82d84b46e37a44030350d8", "lessThan": "5ef23506695b01d5d56a13a092a97f2478069d75", "status": "affected", "versionType": "git"}, {"version": "10287baec761d33f0a82d84b46e37a44030350d8", "lessThan": "b972eff874637402ddc4a7dd11fb22538a0b6d28", "status": "affected", "versionType": "git"}, {"version": "10287baec761d33f0a82d84b46e37a44030350d8", "lessThan": "ca6bc277430d90375452b60b047763a090b7673e", "status": "affected", "versionType": "git"}, {"version": "10287baec761d33f0a82d84b46e37a44030350d8", "lessThan": "032e288097a553db5653af552dd8035cd2a0ba96", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/usb/gadget/config.c"], "versions": [{"version": "3.8", "status": "affected"}, {"version": "0", "lessThan": "3.8", "status": "unaffected", "versionType": "semver"}, {"version": "4.9.273", "lessThanOrEqual": "4.9.*", "status": "unaffected", "versionType": "semver"}, {"version": "4.14.237", "lessThanOrEqual": "4.14.*", "status": "unaffected", "versionType": "semver"}, {"version": "4.19.195", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.126", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.44", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.12.11", "lessThanOrEqual": "5.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.13", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.8", "versionEndExcluding": "4.9.273"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.8", "versionEndExcluding": "4.14.237"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.8", "versionEndExcluding": "4.19.195"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.8", "versionEndExcluding": "5.4.126"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.8", "versionEndExcluding": "5.10.44"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.8", "versionEndExcluding": "5.12.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.8", "versionEndExcluding": "5.13"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/fd24be23abf3e94260be0f00bb42c7e91d495f87"}, {"url": "https://git.kernel.org/stable/c/70cd19cb5bd94bbb5bacfc9c1e4ee0071699a604"}, {"url": "https://git.kernel.org/stable/c/45f9a2fe737dc0a5df270787f2231aee8985cd59"}, {"url": "https://git.kernel.org/stable/c/5ef23506695b01d5d56a13a092a97f2478069d75"}, {"url": "https://git.kernel.org/stable/c/b972eff874637402ddc4a7dd11fb22538a0b6d28"}, {"url": "https://git.kernel.org/stable/c/ca6bc277430d90375452b60b047763a090b7673e"}, {"url": "https://git.kernel.org/stable/c/032e288097a553db5653af552dd8035cd2a0ba96"}], "title": "usb: fix various gadget panics on 10gbps cabling", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-noinfo Not enough information"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-05-21T18:49:52.112384Z", "id": "CVE-2021-47267", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-01T17:09:36.092Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:32:08.001Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/fd24be23abf3e94260be0f00bb42c7e91d495f87", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/70cd19cb5bd94bbb5bacfc9c1e4ee0071699a604", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/45f9a2fe737dc0a5df270787f2231aee8985cd59", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/5ef23506695b01d5d56a13a092a97f2478069d75", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/b972eff874637402ddc4a7dd11fb22538a0b6d28", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/ca6bc277430d90375452b60b047763a090b7673e", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/032e288097a553db5653af552dd8035cd2a0ba96", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/fd24be23abf3e94260be0f00bb42c7e91d495f87", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/70cd19cb5bd94bbb5bacfc9c1e4ee0071699a604", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/45f9a2fe737dc0a5df270787f2231aee8985cd59", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/5ef23506695b01d5d56a13a092a97f2478069d75", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/b972eff874637402ddc4a7dd11fb22538a0b6d28", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/ca6bc277430d90375452b60b047763a090b7673e", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/032e288097a553db5653af552dd8035cd2a0ba96", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:32:08.001Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2021-47267", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-21T18:49:52.112384Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-noinfo Not enough information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:25.502Z"}}], "cna": {"title": "usb: fix various gadget panics on 10gbps cabling", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "10287baec761d33f0a82d84b46e37a44030350d8", "lessThan": "fd24be23abf3e94260be0f00bb42c7e91d495f87", "versionType": "git"}, {"status": "affected", "version": "10287baec761d33f0a82d84b46e37a44030350d8", "lessThan": "70cd19cb5bd94bbb5bacfc9c1e4ee0071699a604", "versionType": "git"}, {"status": "affected", "version": "10287baec761d33f0a82d84b46e37a44030350d8", "lessThan": "45f9a2fe737dc0a5df270787f2231aee8985cd59", "versionType": "git"}, {"status": "affected", "version": "10287baec761d33f0a82d84b46e37a44030350d8", "lessThan": "5ef23506695b01d5d56a13a092a97f2478069d75", "versionType": "git"}, {"status": "affected", "version": "10287baec761d33f0a82d84b46e37a44030350d8", "lessThan": "b972eff874637402ddc4a7dd11fb22538a0b6d28", "versionType": "git"}, {"status": "affected", "version": "10287baec761d33f0a82d84b46e37a44030350d8", "lessThan": "ca6bc277430d90375452b60b047763a090b7673e", "versionType": "git"}, {"status": "affected", "version": "10287baec761d33f0a82d84b46e37a44030350d8", "lessThan": "032e288097a553db5653af552dd8035cd2a0ba96", "versionType": "git"}], "programFiles": ["drivers/usb/gadget/config.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "3.8"}, {"status": "unaffected", "version": "0", "lessThan": "3.8", "versionType": "semver"}, {"status": "unaffected", "version": "4.9.273", "versionType": "semver", "lessThanOrEqual": "4.9.*"}, {"status": "unaffected", "version": "4.14.237", "versionType": "semver", "lessThanOrEqual": "4.14.*"}, {"status": "unaffected", "version": "4.19.195", "versionType": "semver", "lessThanOrEqual": "4.19.*"}, {"status": "unaffected", "version": "5.4.126", "versionType": "semver", "lessThanOrEqual": "5.4.*"}, {"status": "unaffected", "version": "5.10.44", "versionType": "semver", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.12.11", "versionType": "semver", "lessThanOrEqual": "5.12.*"}, {"status": "unaffected", "version": "5.13", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["drivers/usb/gadget/config.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/fd24be23abf3e94260be0f00bb42c7e91d495f87"}, {"url": "https://git.kernel.org/stable/c/70cd19cb5bd94bbb5bacfc9c1e4ee0071699a604"}, {"url": "https://git.kernel.org/stable/c/45f9a2fe737dc0a5df270787f2231aee8985cd59"}, {"url": "https://git.kernel.org/stable/c/5ef23506695b01d5d56a13a092a97f2478069d75"}, {"url": "https://git.kernel.org/stable/c/b972eff874637402ddc4a7dd11fb22538a0b6d28"}, {"url": "https://git.kernel.org/stable/c/ca6bc277430d90375452b60b047763a090b7673e"}, {"url": "https://git.kernel.org/stable/c/032e288097a553db5653af552dd8035cd2a0ba96"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: fix various gadget panics on 10gbps cabling\n\nusb_assign_descriptors() is called with 5 parameters,\nthe last 4 of which are the usb_descriptor_header for:\n  full-speed (USB1.1 - 12Mbps [including USB1.0 low-speed @ 1.5Mbps),\n  high-speed (USB2.0 - 480Mbps),\n  super-speed (USB3.0 - 5Gbps),\n  super-speed-plus (USB3.1 - 10Gbps).\n\nThe differences between full/high/super-speed descriptors are usually\nsubstantial (due to changes in the maximum usb block size from 64 to 512\nto 1024 bytes and other differences in the specs), while the difference\nbetween 5 and 10Gbps descriptors may be as little as nothing\n(in many cases the same tuning is simply good enough).\n\nHowever if a gadget driver calls usb_assign_descriptors() with\na NULL descriptor for super-speed-plus and is then used on a max 10gbps\nconfiguration, the kernel will crash with a null pointer dereference,\nwhen a 10gbps capable device port + cable + host port combination shows up.\n(This wouldn't happen if the gadget max-speed was set to 5gbps, but\nit of course defaults to the maximum, and there's no real reason to\nartificially limit it)\n\nThe fix is to simply use the 5gbps descriptor as the 10gbps descriptor,\nif a 10gbps descriptor wasn't provided.\n\nObviously this won't fix the problem if the 5gbps descriptor is also\nNULL, but such cases can't be so trivially solved (and any such gadgets\nare unlikely to be used with USB3 ports any way)."}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.9.273", "versionStartIncluding": "3.8"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.14.237", "versionStartIncluding": "3.8"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.19.195", "versionStartIncluding": "3.8"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.4.126", "versionStartIncluding": "3.8"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.10.44", "versionStartIncluding": "3.8"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.12.11", "versionStartIncluding": "3.8"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.13", "versionStartIncluding": "3.8"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-21T08:31:41.486Z"}}}, "cveMetadata": {"cveId": "CVE-2021-47267", "state": "PUBLISHED", "dateUpdated": "2025-05-21T08:31:41.486Z", "dateReserved": "2024-05-21T13:27:52.127Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-05-21T14:19:57.894Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "2AAF8753-C28A-4F2A-8469-E86334097252", "versionEndExcluding": "4.9.273", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "83CDDAD5-5539-46C9-9255-C1DAC38F7905", "versionEndExcluding": "4.14.237", "versionStartIncluding": "4.10", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "23EECCE9-4D4C-4684-AB00-10C938F5DDC1", "versionEndExcluding": "4.19.195", "versionStartIncluding": "4.15", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "876275F9-BEC7-40E8-9D7F-A20729A4A4FF", "versionEndExcluding": "5.4.126", "versionStartIncluding": "4.20", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "DA547B08-9D25-467B-AD0D-8460FE4EE70D", "versionEndExcluding": "5.10.44", "versionStartIncluding": "5.5", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "F914A757-FAFD-407E-9031-21F66635D5EA", "versionEndExcluding": "5.12.11", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.13:rc1:*:*:*:*:*:*", "matchCriteriaId": "0CBAD0FC-C281-4666-AB2F-F8E6E1165DF7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.13:rc2:*:*:*:*:*:*", "matchCriteriaId": "96AC23B2-D46A-49D9-8203-8E1BEDCA8532", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.13:rc3:*:*:*:*:*:*", "matchCriteriaId": "DA610E30-717C-4700-9F77-A3C9244F3BFD", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.13:rc4:*:*:*:*:*:*", "matchCriteriaId": "1ECD33F5-85BE-430B-8F86-8D7BD560311D", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.13:rc5:*:*:*:*:*:*", "matchCriteriaId": "CF351855-2437-4CF5-AD7C-BDFA51F27683", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: fix various gadget panics on 10gbps cabling\n\nusb_assign_descriptors() is called with 5 parameters,\nthe last 4 of which are the usb_descriptor_header for:\n  full-speed (USB1.1 - 12Mbps [including USB1.0 low-speed @ 1.5Mbps),\n  high-speed (USB2.0 - 480Mbps),\n  super-speed (USB3.0 - 5Gbps),\n  super-speed-plus (USB3.1 - 10Gbps).\n\nThe differences between full/high/super-speed descriptors are usually\nsubstantial (due to changes in the maximum usb block size from 64 to 512\nto 1024 bytes and other differences in the specs), while the difference\nbetween 5 and 10Gbps descriptors may be as little as nothing\n(in many cases the same tuning is simply good enough).\n\nHowever if a gadget driver calls usb_assign_descriptors() with\na NULL descriptor for super-speed-plus and is then used on a max 10gbps\nconfiguration, the kernel will crash with a null pointer dereference,\nwhen a 10gbps capable device port + cable + host port combination shows up.\n(This wouldn't happen if the gadget max-speed was set to 5gbps, but\nit of course defaults to the maximum, and there's no real reason to\nartificially limit it)\n\nThe fix is to simply use the 5gbps descriptor as the 10gbps descriptor,\nif a 10gbps descriptor wasn't provided.\n\nObviously this won't fix the problem if the 5gbps descriptor is also\nNULL, but such cases can't be so trivially solved (and any such gadgets\nare unlikely to be used with USB3 ports any way)."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: usb: corrige varios fallos de dispositivos en cableado de 10 gbps usb_assign_descriptors() se llama con 5 par\u00e1metros, los \u00faltimos 4 de los cuales son usb_descriptor_header para: velocidad completa (USB1.1 - 12Mbps [ incluyendo USB1.0 de baja velocidad a 1,5 Mbps), alta velocidad (USB2.0 - 480 Mbps), s\u00faper velocidad (USB3.0 - 5 Gbps), s\u00faper velocidad plus (USB3.1 - 10 Gbps). Las diferencias entre los descriptores de velocidad completa/alta/supervelocidad suelen ser sustanciales (debido a cambios en el tama\u00f1o m\u00e1ximo del bloque USB de 64 a 512 a 1024 bytes y otras diferencias en las especificaciones), mientras que la diferencia entre los descriptores de 5 y 10 Gbps puede ser tan casi nada (en muchos casos, la misma afinaci\u00f3n es simplemente suficiente). Sin embargo, si un controlador de dispositivo llama a usb_assign_descriptors() con un descriptor NULL para super-speed-plus y luego se usa en una configuraci\u00f3n m\u00e1xima de 10 gbps, el kernel fallar\u00e1 con una desreferencia de puntero null, cuando un puerto de dispositivo con capacidad de 10 gbps + cable + puerto de host Aparece la combinaci\u00f3n. (Esto no suceder\u00eda si la velocidad m\u00e1xima del dispositivo estuviera configurada en 5 gbps, pero, por supuesto, est\u00e1 predeterminada al m\u00e1ximo y no hay ninguna raz\u00f3n real para limitarla artificialmente). La soluci\u00f3n es simplemente usar el descriptor de 5 gbps como el descriptor de 10 gbps, si no se proporcion\u00f3 un descriptor de 10 gbps. Obviamente, esto no solucionar\u00e1 el problema si el descriptor de 5 gbps tambi\u00e9n es NULL, pero estos casos no se pueden resolver de manera tan trivial (y es poco probable que dichos dispositivos se utilicen con puertos USB3 de alguna manera)."}], "id": "CVE-2021-47267", "lastModified": "2025-04-04T14:30:02.130", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-05-21T15:15:15.297", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/032e288097a553db5653af552dd8035cd2a0ba96"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/45f9a2fe737dc0a5df270787f2231aee8985cd59"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5ef23506695b01d5d56a13a092a97f2478069d75"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/70cd19cb5bd94bbb5bacfc9c1e4ee0071699a604"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b972eff874637402ddc4a7dd11fb22538a0b6d28"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ca6bc277430d90375452b60b047763a090b7673e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/fd24be23abf3e94260be0f00bb42c7e91d495f87"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/032e288097a553db5653af552dd8035cd2a0ba96"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/45f9a2fe737dc0a5df270787f2231aee8985cd59"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5ef23506695b01d5d56a13a092a97f2478069d75"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/70cd19cb5bd94bbb5bacfc9c1e4ee0071699a604"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b972eff874637402ddc4a7dd11fb22538a0b6d28"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ca6bc277430d90375452b60b047763a090b7673e"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/fd24be23abf3e94260be0f00bb42c7e91d495f87"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: usb: fix various gadget panics on 10gbps cabling", "id": "2282538", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2282538"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-476", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nusb: fix various gadget panics on 10gbps cabling\nusb_assign_descriptors() is called with 5 parameters,\nthe last 4 of which are the usb_descriptor_header for:\nfull-speed (USB1.1 - 12Mbps [including USB1.0 low-speed @ 1.5Mbps),\nhigh-speed (USB2.0 - 480Mbps),\nsuper-speed (USB3.0 - 5Gbps),\nsuper-speed-plus (USB3.1 - 10Gbps).\nThe differences between full/high/super-speed descriptors are usually\nsubstantial (due to changes in the maximum usb block size from 64 to 512\nto 1024 bytes and other differences in the specs), while the difference\nbetween 5 and 10Gbps descriptors may be as little as nothing\n(in many cases the same tuning is simply good enough).\nHowever if a gadget driver calls usb_assign_descriptors() with\na NULL descriptor for super-speed-plus and is then used on a max 10gbps\nconfiguration, the kernel will crash with a null pointer dereference,\nwhen a 10gbps capable device port + cable + host port combination shows up.\n(This wouldn't happen if the gadget max-speed was set to 5gbps, but\nit of course defaults to the maximum, and there's no real reason to\nartificially limit it)\nThe fix is to simply use the 5gbps descriptor as the 10gbps descriptor,\nif a 10gbps descriptor wasn't provided.\nObviously this won't fix the problem if the 5gbps descriptor is also\nNULL, but such cases can't be so trivially solved (and any such gadgets\nare unlikely to be used with USB3 ports any way)."], "name": "CVE-2021-47267", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-05-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-47267\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-47267\nhttps://lore.kernel.org/linux-cve-announce/2024052149-CVE-2021-47267-1427@gregkh/T"], "threat_severity": "Low"}