CVE-2026-43431

MEDIUM

xhci: Fix NULL pointer dereference when reading portli debugfs files

Title source: cna

Description

In the Linux kernel, the following vulnerability has been resolved: xhci: Fix NULL pointer dereference when reading portli debugfs files Michal reported and debgged a NULL pointer dereference bug in the recently added portli debugfs files Oops is caused when there are more port registers counted in xhci->max_ports than ports reported by Supported Protocol capabilities. This is possible if max_ports is more than maximum port number, or if there are gaps between ports of different speeds the 'Supported Protocol' capabilities. In such cases port->rhub will be NULL so we can't reach xhci behind it. Add an explicit NULL check for this case, and print portli in hex without dereferencing port->rhub.

References (2)

Core 2

Core References

https://git.kernel.org/stable/c/9c8bef223c6e991276188d30d74bdb2cbd8be652

https://git.kernel.org/stable/c/ae4ff9dead5efa2025eddfcdb29411432bf40a7c

Scores

CVSS v3 5.5

EPSS 0.0001

EPSS Percentile 3.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-476

Status published

Products (8)

Linux/Linux < 6.19

Linux/Linux 384c57ec720597f8104f69082cdd261abb998b80 - 9c8bef223c6e991276188d30d74bdb2cbd8be652

Linux/Linux 384c57ec720597f8104f69082cdd261abb998b80 - ae4ff9dead5efa2025eddfcdb29411432bf40a7c

Linux/Linux 6.19

Linux/Linux 6.19.9 - 6.19.*

Linux/Linux 7.0

linux/linux_kernel 7.0 rc1 (4 CPE variants)

linux/linux_kernel 6.19 - 6.19.9

Published May 08, 2026

Tracked Since May 08, 2026