{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-40314","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.185Z","datePublished":"2025-12-08T00:46:40.576Z","dateUpdated":"2026-05-11T21:46:57.519Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:46:57.519Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget\n\nIn the __cdnsp_gadget_init() and cdnsp_gadget_exit() functions, the gadget\nstructure (pdev->gadget) was freed before its endpoints.\nThe endpoints are linked via the ep_list in the gadget structure.\nFreeing the gadget first leaves dangling pointers in the endpoint list.\nWhen the endpoints are subsequently freed, this results in a use-after-free.\n\nFix:\nBy separating the usb_del_gadget_udc() operation into distinct \"del\" and\n\"put\" steps, cdnsp_gadget_free_endpoints() can be executed prior to the\nfinal release of the gadget structure with usb_put_gadget().\n\nA patch similar to bb9c74a5bd14(\"usb: dwc3: gadget: Free gadget structure\n only after freeing endpoints\")."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/usb/cdns3/cdnsp-gadget.c"],"versions":[{"version":"8bc1901ca7b07d864fca11461b3875b31f949765","lessThan":"0cf9a50af91fbdac3849f8d950e883a3eaa3ecea","status":"affected","versionType":"git"},{"version":"8bc1901ca7b07d864fca11461b3875b31f949765","lessThan":"37158ce6ba964b62d1e3eebd11f03c6900a52dd1","status":"affected","versionType":"git"},{"version":"8bc1901ca7b07d864fca11461b3875b31f949765","lessThan":"ea37884097a0931abb8e11e40eacfb25e9fdb5e9","status":"affected","versionType":"git"},{"version":"8bc1901ca7b07d864fca11461b3875b31f949765","lessThan":"9c52f01429c377a2d32cafc977465f37b5384f77","status":"affected","versionType":"git"},{"version":"8bc1901ca7b07d864fca11461b3875b31f949765","lessThan":"fdf573c517627a96f5040f988e9b21267806be5c","status":"affected","versionType":"git"},{"version":"8bc1901ca7b07d864fca11461b3875b31f949765","lessThan":"87c5ff5615dc0a37167e8faf3adeeddc6f1344a3","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/usb/cdns3/cdnsp-gadget.c"],"versions":[{"version":"5.3","status":"affected"},{"version":"0","lessThan":"5.3","status":"unaffected","versionType":"semver"},{"version":"5.15.197","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.159","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.117","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.58","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.17.8","lessThanOrEqual":"6.17.*","status":"unaffected","versionType":"semver"},{"version":"6.18","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"5.15.197"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"6.1.159"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"6.6.117"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"6.12.58"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"6.17.8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.3","versionEndExcluding":"6.18"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0cf9a50af91fbdac3849f8d950e883a3eaa3ecea"},{"url":"https://git.kernel.org/stable/c/37158ce6ba964b62d1e3eebd11f03c6900a52dd1"},{"url":"https://git.kernel.org/stable/c/ea37884097a0931abb8e11e40eacfb25e9fdb5e9"},{"url":"https://git.kernel.org/stable/c/9c52f01429c377a2d32cafc977465f37b5384f77"},{"url":"https://git.kernel.org/stable/c/fdf573c517627a96f5040f988e9b21267806be5c"},{"url":"https://git.kernel.org/stable/c/87c5ff5615dc0a37167e8faf3adeeddc6f1344a3"}],"title":"usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget","x_generator":{"engine":"bippy-1.2.0"}}}}