{"id":"CVE-2025-38555","summary":"usb: gadget : fix use-after-free in composite_dev_cleanup()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget : fix use-after-free in composite_dev_cleanup()\n\n1. In func configfs_composite_bind() -\u003e composite_os_desc_req_prepare():\nif kmalloc fails, the pointer cdev-\u003eos_desc_req will be freed but not\nset to NULL. Then it will return a failure to the upper-level function.\n2. in func configfs_composite_bind() -\u003e composite_dev_cleanup():\nit will checks whether cdev-\u003eos_desc_req is NULL. If it is not NULL, it\nwill attempt to use it.This will lead to a use-after-free issue.\n\nBUG: KASAN: use-after-free in composite_dev_cleanup+0xf4/0x2c0\nRead of size 8 at addr 0000004827837a00 by task init/1\n\nCPU: 10 PID: 1 Comm: init Tainted: G           O      5.10.97-oh #1\n kasan_report+0x188/0x1cc\n __asan_load8+0xb4/0xbc\n composite_dev_cleanup+0xf4/0x2c0\n configfs_composite_bind+0x210/0x7ac\n udc_bind_to_driver+0xb4/0x1ec\n usb_gadget_probe_driver+0xec/0x21c\n gadget_dev_desc_UDC_store+0x264/0x27c","modified":"2026-04-16T04:38:56.178636239Z","published":"2025-08-19T17:02:34.110Z","related":["SUSE-SU-2025:03272-1","SUSE-SU-2025:03283-1","SUSE-SU-2025:03290-1","SUSE-SU-2025:03301-1","SUSE-SU-2025:03314-1","SUSE-SU-2025:03315-1","SUSE-SU-2025:03317-1","SUSE-SU-2025:03318-1","SUSE-SU-2025:03319-1","SUSE-SU-2025:03321-1","SUSE-SU-2025:03341-1","SUSE-SU-2025:03343-1","SUSE-SU-2025:03344-1","SUSE-SU-2025:03370-1","SUSE-SU-2025:03374-1","SUSE-SU-2025:03375-1","SUSE-SU-2025:03381-1","SUSE-SU-2025:03382-1","SUSE-SU-2025:03383-1","SUSE-SU-2025:03387-1","SUSE-SU-2025:03389-1","SUSE-SU-2025:03391-1","SUSE-SU-2025:03392-1","SUSE-SU-2025:03393-1","SUSE-SU-2025:03395-1","SUSE-SU-2025:03396-1","SUSE-SU-2025:03397-1","SUSE-SU-2025:03400-1","SUSE-SU-2025:03403-1","SUSE-SU-2025:03406-1","SUSE-SU-2025:03408-1","SUSE-SU-2025:03410-1","SUSE-SU-2025:03411-1","SUSE-SU-2025:03412-1","SUSE-SU-2025:03413-1","SUSE-SU-2025:03418-1","SUSE-SU-2025:03419-1","SUSE-SU-2025:03602-1","SUSE-SU-2025:03633-1","SUSE-SU-2025:03634-1","SUSE-SU-2025:20653-1","SUSE-SU-2025:20669-1","SUSE-SU-2025:20722-1","SUSE-SU-2025:20723-1","SUSE-SU-2025:20724-1","SUSE-SU-2025:20725-1","SUSE-SU-2025:20726-1","SUSE-SU-2025:20727-1","SUSE-SU-2025:20728-1","SUSE-SU-2025:20729-1","SUSE-SU-2025:20730-1","SUSE-SU-2025:20731-1","SUSE-SU-2025:20732-1","SUSE-SU-2025:20733-1","SUSE-SU-2025:20734-1","SUSE-SU-2025:20735-1","SUSE-SU-2025:20736-1","SUSE-SU-2025:20737-1","SUSE-SU-2025:20738-1","SUSE-SU-2025:20739-1","SUSE-SU-2025:20756-1","SUSE-SU-2025:20768-1","SUSE-SU-2025:20769-1","SUSE-SU-2025:20770-1","SUSE-SU-2025:20771-1","SUSE-SU-2025:20772-1","SUSE-SU-2025:20773-1","SUSE-SU-2025:20774-1","SUSE-SU-2025:20784-1","SUSE-SU-2025:20785-1","SUSE-SU-2025:20786-1","SUSE-SU-2025:20787-1","SUSE-SU-2025:20788-1","SUSE-SU-2025:20789-1","SUSE-SU-2025:20790-1","SUSE-SU-2025:20791-1","SUSE-SU-2025:21074-1","SUSE-SU-2025:21139-1","SUSE-SU-2025:21179-1","openSUSE-SU-2025:20081-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38555.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/151c0aa896c47a4459e07fee7d4843f44c1bb18e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2db29235e900a084a656dea7e0939b0abb7bb897"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5f06ee9f9a3665d43133f125c17e5258a13f3963"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8afb22aa063f706f3343707cdfb8cda4d021dd33"},{"type":"WEB","url":"https://git.kernel.org/stable/c/aada327a9f8028c573636fa60c0abc80fb8135c9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bd3c4ef60baf7f65c963f3e12d9d7b2b091e20ba"},{"type":"WEB","url":"https://git.kernel.org/stable/c/dba96dfa5a0f685b959dd28a52ac8dab0b805204"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e1be1f380c82a69f80c68c96a7cfe8759fb30355"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e624bf26127645a2f7821e73fdf6dc64bad07835"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38555.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38555"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"37a3a533429ef9b3cc9f15a656c19623f0e88df7"},{"fixed":"dba96dfa5a0f685b959dd28a52ac8dab0b805204"},{"fixed":"2db29235e900a084a656dea7e0939b0abb7bb897"},{"fixed":"8afb22aa063f706f3343707cdfb8cda4d021dd33"},{"fixed":"e624bf26127645a2f7821e73fdf6dc64bad07835"},{"fixed":"aada327a9f8028c573636fa60c0abc80fb8135c9"},{"fixed":"5f06ee9f9a3665d43133f125c17e5258a13f3963"},{"fixed":"bd3c4ef60baf7f65c963f3e12d9d7b2b091e20ba"},{"fixed":"e1be1f380c82a69f80c68c96a7cfe8759fb30355"},{"fixed":"151c0aa896c47a4459e07fee7d4843f44c1bb18e"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38555.json"}}],"schema_version":"1.7.5"}