CVE-2021-46986: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: gadget: Free gadget structure only after freeing endpoints As part of commit e81a7018d93a ("usb: dwc3: allocate gadget structure dynamically") the dwc3_gadget_release() was added which will free the dwc->gadget structure upon the device's removal when usb_del_gadget_udc() is called in dwc3_gadget_exit(). However, simply freeing the gadget results a dangling pointer situation: the endpoints created in dwc3_gadget_init_endpoints() have their dep->endpoint.ep_list members chained off the list_head anchored at dwc->gadget->ep_list. Thus when dwc->gadget is freed, the first dwc3_ep in the list now has a dangling prev pointer and likewise for the next pointer of the dwc3_ep at the tail of the list. The dwc3_gadget_free_endpoints() that follows will result in a use-after-free when it calls list_del(). This was caught by enabling KASAN and performing a driver unbind. The recent commit 568262bf5492 ("usb: dwc3: core: Add shutdown callback for dwc3") also exposes this as a panic during shutdown. There are a few possibilities to fix this. One could be to perform a list_del() of the gadget->ep_list itself which removes it from the rest of the dwc3_ep chain. Another approach is what this patch does, by splitting up the usb_del_gadget_udc() call into its separate "del" and "put" components. This allows dwc3_gadget_free_endpoints() to be called before the gadget is finally freed with usb_put_gadget().
AI Analysis
Technical Summary
CVE-2021-46986 is a use-after-free vulnerability in the Linux kernel's USB gadget driver for the DesignWare Core USB3 (dwc3) controller. The vulnerability arises from improper memory management during the removal of the USB gadget device. Specifically, the dwc3_gadget_release() function frees the gadget structure (dwc->gadget) before the endpoints linked to this structure are properly freed. The endpoints are chained via a linked list anchored at dwc->gadget->ep_list. When the gadget structure is freed prematurely, the linked list pointers become dangling, leading to a use-after-free condition when dwc3_gadget_free_endpoints() subsequently attempts to remove endpoints from the list using list_del(). This flaw was identified through Kernel Address Sanitizer (KASAN) testing and can cause kernel panics during device shutdown sequences. The patch to fix this issue involves splitting the usb_del_gadget_udc() call into separate "del" and "put" operations, ensuring that endpoints are freed before the gadget structure itself is released, thereby preventing the dangling pointer dereference. This vulnerability affects Linux kernel versions containing the commit e81a7018d93a7de31a3f121c9a7eecd0a5ec58b0 and related builds. Although no known exploits are reported in the wild, the flaw could be triggered during device removal or shutdown, potentially leading to kernel crashes or memory corruption.
Potential Impact
For European organizations, the impact of CVE-2021-46986 primarily concerns systems running Linux kernels with the affected dwc3 USB gadget driver, especially those using embedded devices, IoT gateways, or specialized hardware that rely on USB gadget functionality. Exploitation could lead to denial of service via kernel panic or instability, disrupting critical services or embedded applications. In environments where Linux is used for industrial control systems, telecommunications, or network infrastructure, such instability could cause operational downtime or degraded performance. While direct remote exploitation is unlikely without local access or device interaction, attackers with physical or privileged access could trigger the vulnerability to escalate disruptions. This could be particularly impactful in sectors like manufacturing, healthcare, or transportation where Linux-based embedded systems are common. Additionally, kernel panics could be leveraged as part of a broader attack chain to facilitate privilege escalation or bypass security controls if combined with other vulnerabilities.
Mitigation Recommendations
European organizations should prioritize updating Linux kernels to versions that include the fix for CVE-2021-46986. Specifically, applying patches that implement the corrected sequence of freeing USB gadget endpoints before releasing the gadget structure is critical. For embedded or IoT devices where kernel updates are less frequent, vendors should be engaged to provide firmware updates or mitigations. System administrators should audit devices using the dwc3 USB gadget driver and assess exposure, especially in environments with USB device removal or shutdown operations. Additionally, enabling kernel hardening features such as KASAN during testing phases can help detect similar memory management issues proactively. Where possible, restrict physical and privileged access to devices to reduce the risk of exploitation. Monitoring system logs for kernel panics related to USB gadget removal can aid in early detection of attempted exploitation or instability caused by this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2021-46986: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: gadget: Free gadget structure only after freeing endpoints As part of commit e81a7018d93a ("usb: dwc3: allocate gadget structure dynamically") the dwc3_gadget_release() was added which will free the dwc->gadget structure upon the device's removal when usb_del_gadget_udc() is called in dwc3_gadget_exit(). However, simply freeing the gadget results a dangling pointer situation: the endpoints created in dwc3_gadget_init_endpoints() have their dep->endpoint.ep_list members chained off the list_head anchored at dwc->gadget->ep_list. Thus when dwc->gadget is freed, the first dwc3_ep in the list now has a dangling prev pointer and likewise for the next pointer of the dwc3_ep at the tail of the list. The dwc3_gadget_free_endpoints() that follows will result in a use-after-free when it calls list_del(). This was caught by enabling KASAN and performing a driver unbind. The recent commit 568262bf5492 ("usb: dwc3: core: Add shutdown callback for dwc3") also exposes this as a panic during shutdown. There are a few possibilities to fix this. One could be to perform a list_del() of the gadget->ep_list itself which removes it from the rest of the dwc3_ep chain. Another approach is what this patch does, by splitting up the usb_del_gadget_udc() call into its separate "del" and "put" components. This allows dwc3_gadget_free_endpoints() to be called before the gadget is finally freed with usb_put_gadget().
AI-Powered Analysis
Technical Analysis
CVE-2021-46986 is a use-after-free vulnerability in the Linux kernel's USB gadget driver for the DesignWare Core USB3 (dwc3) controller. The vulnerability arises from improper memory management during the removal of the USB gadget device. Specifically, the dwc3_gadget_release() function frees the gadget structure (dwc->gadget) before the endpoints linked to this structure are properly freed. The endpoints are chained via a linked list anchored at dwc->gadget->ep_list. When the gadget structure is freed prematurely, the linked list pointers become dangling, leading to a use-after-free condition when dwc3_gadget_free_endpoints() subsequently attempts to remove endpoints from the list using list_del(). This flaw was identified through Kernel Address Sanitizer (KASAN) testing and can cause kernel panics during device shutdown sequences. The patch to fix this issue involves splitting the usb_del_gadget_udc() call into separate "del" and "put" operations, ensuring that endpoints are freed before the gadget structure itself is released, thereby preventing the dangling pointer dereference. This vulnerability affects Linux kernel versions containing the commit e81a7018d93a7de31a3f121c9a7eecd0a5ec58b0 and related builds. Although no known exploits are reported in the wild, the flaw could be triggered during device removal or shutdown, potentially leading to kernel crashes or memory corruption.
Potential Impact
For European organizations, the impact of CVE-2021-46986 primarily concerns systems running Linux kernels with the affected dwc3 USB gadget driver, especially those using embedded devices, IoT gateways, or specialized hardware that rely on USB gadget functionality. Exploitation could lead to denial of service via kernel panic or instability, disrupting critical services or embedded applications. In environments where Linux is used for industrial control systems, telecommunications, or network infrastructure, such instability could cause operational downtime or degraded performance. While direct remote exploitation is unlikely without local access or device interaction, attackers with physical or privileged access could trigger the vulnerability to escalate disruptions. This could be particularly impactful in sectors like manufacturing, healthcare, or transportation where Linux-based embedded systems are common. Additionally, kernel panics could be leveraged as part of a broader attack chain to facilitate privilege escalation or bypass security controls if combined with other vulnerabilities.
Mitigation Recommendations
European organizations should prioritize updating Linux kernels to versions that include the fix for CVE-2021-46986. Specifically, applying patches that implement the corrected sequence of freeing USB gadget endpoints before releasing the gadget structure is critical. For embedded or IoT devices where kernel updates are less frequent, vendors should be engaged to provide firmware updates or mitigations. System administrators should audit devices using the dwc3 USB gadget driver and assess exposure, especially in environments with USB device removal or shutdown operations. Additionally, enabling kernel hardening features such as KASAN during testing phases can help detect similar memory management issues proactively. Where possible, restrict physical and privileged access to devices to reduce the risk of exploitation. Monitoring system logs for kernel panics related to USB gadget removal can aid in early detection of attempted exploitation or instability caused by this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-27T18:42:55.946Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9834c4522896dcbe99bf
Added to database: 5/21/2025, 9:09:08 AM
Last enriched: 6/30/2025, 6:42:10 PM
Last updated: 8/20/2025, 10:31:50 AM
Views: 16
Related Threats
CVE-2025-7051: CWE-284 in N-able N-central
HighCVE-2025-57768: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Alanaktion phproject
MediumCVE-2025-55524: n/a
UnknownCVE-2025-55523: n/a
UnknownCVE-2025-43754: CWE-208 Observable Timing Discrepancy in Liferay Portal
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.