In the Linux kernel, the following vulnerability has been resolved:
usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths
This patch addresses a race condition caused by unsynchronized
execution of multiple call paths invoking `dwc3_remove_requests()`,
leading to premature freeing of USB requests and subsequent crashes.
Three distinct execution paths interact with `dwc3_remove_requests()`:
Path 1:
Triggered via `dwc3_gadget_reset_interrupt()` during USB reset
handling. The call stack includes:
- `dwc3_ep0_reset_state()`
- `dwc3_ep0_stall_and_restart()`
- `dwc3_ep0_out_start()`
- `dwc3_remove_requests()`
- `dwc3_gadget_del_and_unmap_request()`
Path 2:
Also initiated from `dwc3_gadget_reset_interrupt()`, but through
`dwc3_stop_active_transfers()`. The call stack includes:
- `dwc3_stop_active_transfers()`
- `dwc3_remove_requests()`
- `dwc3_gadget_del_and_unmap_request()`
Path 3:
Occurs independently during `adb root` execution, which triggers
USB function unbind and bind operations. The sequence includes:
- `gserial_disconnect()`
- `usb_ep_disable()`
- `dwc3_gadget_ep_disable()`
- `dwc3_remove_requests()` with `-ESHUTDOWN` status
Path 3 operates asynchronously and lacks synchronization with Paths
1 and 2. When Path 3 completes, it disables endpoints and frees 'out'
requests. If Paths 1 or 2 are still processing these requests,
accessing freed memory leads to a crash due to use-after-free conditions.
To fix this added check for request completion and skip processing
if already completed and added the request status for ep0 while queue.
Security readout for executives and security teams
Plain-English summary
CVE-2025-68287 is a Linux kernel USB DWC3 bug where concurrent cleanup paths can free USB requests too early. The documented impact is a crash from use-after-free during USB reset or gadget rebind activity. The source bundle does not show confirmed active exploitation or a CVSS score.
Executive priority
Prioritize affected USB gadget-enabled devices in product, lab, and embedded fleets. This is not currently documented as exploited, but kernel crashes in connected devices can affect availability and support burden.
Technical view
The flaw is a race among three dwc3_remove_requests() call paths: two from USB reset handling and one from USB function unbind/bind during adb root. Unsynchronized paths can let one path complete and free endpoint requests while another still processes them, causing use-after-free crashes. Stable kernel commits add completion/status checks.
Likely exposure
Exposure is most likely on Linux systems or embedded devices using the Synopsys DWC3 USB gadget driver, especially kernels in affected stable ranges before the referenced fixes. General servers without DWC3 USB gadget functionality are less likely exposed.
Exploitation context
The bundle marks KEV as false and provides no evidence of active exploitation. The described trigger involves timing-sensitive USB reset and gadget function lifecycle events, including an adb root-related unbind/bind path. Treat exploitability beyond crash impact as unproven from the supplied sources.
Researcher notes
Evidence is limited to the CVE record and upstream stable commit references. No CVSS, CWE, exploit confirmation, or distribution-specific advisory is included. Analysis should avoid assuming remote reachability or privilege escalation without additional vendor data.
Mitigation direction
Update to a kernel release containing the referenced stable fixes.
Check Linux distribution advisories for backported DWC3 fixes.
Prioritize embedded and Android-adjacent devices using USB gadget mode.
Reduce unnecessary USB gadget exposure where operationally feasible.
Track vendor guidance if running customized kernel trees.
Validation and detection
Inventory systems using the dwc3 USB gadget driver.
Map running kernel versions against vendor fixed releases or referenced commits.
Review crash logs for DWC3 request cleanup or use-after-free traces.
Confirm distro kernels include the stable backport, not only upstream version numbers.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2025-68287 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.