LiveActive security incident?Get immediate response
CVE Record

CVE-2025-68287: usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths

In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths This patch addresses a race condition caused by unsynchronized execution of multiple call paths invoking `dwc3_remove_requests()`, leading to premature freeing of USB requests and subsequent crashes. Three distinct execution paths interact with `dwc3_remove_requests()`: Path 1: Triggered via `dwc3_gadget_reset_interrupt()` during USB reset handling. The call stack includes: - `dwc3_ep0_reset_state()` - `dwc3_ep0_stall_and_restart()` - `dwc3_ep0_out_start()` - `dwc3_remove_requests()` - `dwc3_gadget_del_and_unmap_request()` Path 2: Also initiated from `dwc3_gadget_reset_interrupt()`, but through `dwc3_stop_active_transfers()`. The call stack includes: - `dwc3_stop_active_transfers()` - `dwc3_remove_requests()` - `dwc3_gadget_del_and_unmap_request()` Path 3: Occurs independently during `adb root` execution, which triggers USB function unbind and bind operations. The sequence includes: - `gserial_disconnect()` - `usb_ep_disable()` - `dwc3_gadget_ep_disable()` - `dwc3_remove_requests()` with `-ESHUTDOWN` status Path 3 operates asynchronously and lacks synchronization with Paths 1 and 2. When Path 3 completes, it disables endpoints and frees 'out' requests. If Paths 1 or 2 are still processing these requests, accessing freed memory leads to a crash due to use-after-free conditions. To fix this added check for request completion and skip processing if already completed and added the request status for ep0 while queue.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2025-68287 is a Linux kernel USB DWC3 bug where concurrent cleanup paths can free USB requests too early. The documented impact is a crash from use-after-free during USB reset or gadget rebind activity. The source bundle does not show confirmed active exploitation or a CVSS score.

Executive priority

Prioritize affected USB gadget-enabled devices in product, lab, and embedded fleets. This is not currently documented as exploited, but kernel crashes in connected devices can affect availability and support burden.

Technical view

The flaw is a race among three dwc3_remove_requests() call paths: two from USB reset handling and one from USB function unbind/bind during adb root. Unsynchronized paths can let one path complete and free endpoint requests while another still processes them, causing use-after-free crashes. Stable kernel commits add completion/status checks.

Likely exposure

Exposure is most likely on Linux systems or embedded devices using the Synopsys DWC3 USB gadget driver, especially kernels in affected stable ranges before the referenced fixes. General servers without DWC3 USB gadget functionality are less likely exposed.

Exploitation context

The bundle marks KEV as false and provides no evidence of active exploitation. The described trigger involves timing-sensitive USB reset and gadget function lifecycle events, including an adb root-related unbind/bind path. Treat exploitability beyond crash impact as unproven from the supplied sources.

Researcher notes

Evidence is limited to the CVE record and upstream stable commit references. No CVSS, CWE, exploit confirmation, or distribution-specific advisory is included. Analysis should avoid assuming remote reachability or privilege escalation without additional vendor data.

Mitigation direction

  • Update to a kernel release containing the referenced stable fixes.
  • Check Linux distribution advisories for backported DWC3 fixes.
  • Prioritize embedded and Android-adjacent devices using USB gadget mode.
  • Reduce unnecessary USB gadget exposure where operationally feasible.
  • Track vendor guidance if running customized kernel trees.

Validation and detection

  • Inventory systems using the dwc3 USB gadget driver.
  • Map running kernel versions against vendor fixed releases or referenced commits.
  • Review crash logs for DWC3 request cleanup or use-after-free traces.
  • Confirm distro kernels include the stable backport, not only upstream version numbers.
Prepared
Confidence
medium
Sources
9

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2025-68287 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
8Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux72246da40f3719af3bfd104a2365b32537c27d83, 72246da40f3719af3bfd104a2365b32537c27d83, 72246da40f3719af3bfd104a2365b32537c27d83, 72246da40f3719af3bfd104a2365b32537c27d83, 72246da40f3719af3bfd104a2365b32537c27d83, 72246da40f3719af3bfd104a2365b32537c27d83, 72246da40f3719af3bfd104a2365b32537c27d83unaffected
LinuxLinux3.2, 0, 5.10.247, 5.15.197, 6.1.159, 6.6.119, 6.12.61, 6.17.11, 6.18affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.