{"api_version":"1","generated_at":"2026-06-03T02:05:44+00:00","cve":"CVE-2026-45911","urls":{"html":"https://cve.report/CVE-2026-45911","api":"https://cve.report/api/cve/CVE-2026-45911.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-45911","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-45911"},"summary":{"title":"usb: cdns3: fix role switching during resume","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdns3: fix role switching during resume\n\nIf the role change while we are suspended, the cdns3 driver switches to the\nnew mode during resume. However, switching to host mode in this context\ncauses a NULL pointer dereference.\n\nThe host role's start() operation registers a xhci-hcd device, but its\nprobe is deferred while we are in the resume path. The host role's resume()\noperation assumes the xhci-hcd device is already probed, which is not the\ncase, leading to the dereference. Since the start() operation of the new\nrole is already called, the resume operation can be skipped.\n\nSo skip the resume operation for the new role if a role switch occurs\nduring resume. Once the resume sequence is complete, the xhci-hcd device\ncan be probed in case of host mode.\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000208\nMem abort info:\n...\nData abort info:\n...\n[0000000000000208] pgd=0000000000000000, p4d=0000000000000000\nInternal error: Oops: 0000000096000004 [#1]  SMP\nModules linked in:\nCPU: 0 UID: 0 PID: 146 Comm: sh Not tainted\n6.19.0-rc7-00013-g6e64f4aabfae-dirty #135 PREEMPT\nHardware name: Texas Instruments J7200 EVM (DT)\npstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : usb_hcd_is_primary_hcd+0x0/0x1c\nlr : cdns_host_resume+0x24/0x5c\n...\nCall trace:\n usb_hcd_is_primary_hcd+0x0/0x1c (P)\n cdns_resume+0x6c/0xbc\n cdns3_controller_resume.isra.0+0xe8/0x17c\n cdns3_plat_resume+0x18/0x24\n platform_pm_resume+0x2c/0x68\n dpm_run_callback+0x90/0x248\n device_resume+0x100/0x24c\n dpm_resume+0x190/0x2ec\n dpm_resume_end+0x18/0x34\n suspend_devices_and_enter+0x2b0/0xa44\n pm_suspend+0x16c/0x5fc\n state_store+0x80/0xec\n kobj_attr_store+0x18/0x2c\n sysfs_kf_write+0x7c/0x94\n kernfs_fop_write_iter+0x130/0x1dc\n vfs_write+0x240/0x370\n ksys_write+0x70/0x108\n __arm64_sys_write+0x1c/0x28\n invoke_syscall+0x48/0x10c\n el0_svc_common.constprop.0+0x40/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x34/0x108\n el0t_64_sync_handler+0xa0/0xe4\n el0t_64_sync+0x198/0x19c\nCode: 52800003 f9407ca5 d63f00a0 17ffffe4 (f9410401)\n---[ end trace 0000000000000000 ]---","state":"PUBLISHED","assigner":"Linux","published_at":"2026-05-27 14:17:05","updated_at":"2026-05-27 14:48:31"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/94c742614899ff18a6b3e6f3cfbe7b9f36c865f3","name":"https://git.kernel.org/stable/c/94c742614899ff18a6b3e6f3cfbe7b9f36c865f3","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/49c99dc247ebf7361db9dbdade3dcebfffaf2c22","name":"https://git.kernel.org/stable/c/49c99dc247ebf7361db9dbdade3dcebfffaf2c22","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/87e4b043b98a1d269be0b812f383881abee0ca45","name":"https://git.kernel.org/stable/c/87e4b043b98a1d269be0b812f383881abee0ca45","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/56289298431ed76700b9aac27a3b1d929fe61b8d","name":"https://git.kernel.org/stable/c/56289298431ed76700b9aac27a3b1d929fe61b8d","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/fc086c0ce3db0eefbbeb66a5b1e626296336e33a","name":"https://git.kernel.org/stable/c/fc086c0ce3db0eefbbeb66a5b1e626296336e33a","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/ff02bd303d2d78051771db51119d66c0cf442f47","name":"https://git.kernel.org/stable/c/ff02bd303d2d78051771db51119d66c0cf442f47","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/d637f6ec149ffd2f8257bcc261561dc2e44dbb8c","name":"https://git.kernel.org/stable/c/d637f6ec149ffd2f8257bcc261561dc2e44dbb8c","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-45911","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45911","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 2cf2581cd2290ccef674f1be5f7977d66702eedb ff02bd303d2d78051771db51119d66c0cf442f47 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 2cf2581cd2290ccef674f1be5f7977d66702eedb 94c742614899ff18a6b3e6f3cfbe7b9f36c865f3 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 2cf2581cd2290ccef674f1be5f7977d66702eedb d637f6ec149ffd2f8257bcc261561dc2e44dbb8c git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 2cf2581cd2290ccef674f1be5f7977d66702eedb 56289298431ed76700b9aac27a3b1d929fe61b8d git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 2cf2581cd2290ccef674f1be5f7977d66702eedb fc086c0ce3db0eefbbeb66a5b1e626296336e33a git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 2cf2581cd2290ccef674f1be5f7977d66702eedb 49c99dc247ebf7361db9dbdade3dcebfffaf2c22 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 2cf2581cd2290ccef674f1be5f7977d66702eedb 87e4b043b98a1d269be0b812f383881abee0ca45 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5.13","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.13 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.203 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.167 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.130 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.77 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.14 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.4 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"45911","cve":"CVE-2026-45911","epss":"0.000240000","percentile":"0.073320000","score_date":"2026-06-01","updated_at":"2026-06-02 00:05:21"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/usb/cdns3/core.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"ff02bd303d2d78051771db51119d66c0cf442f47","status":"affected","version":"2cf2581cd2290ccef674f1be5f7977d66702eedb","versionType":"git"},{"lessThan":"94c742614899ff18a6b3e6f3cfbe7b9f36c865f3","status":"affected","version":"2cf2581cd2290ccef674f1be5f7977d66702eedb","versionType":"git"},{"lessThan":"d637f6ec149ffd2f8257bcc261561dc2e44dbb8c","status":"affected","version":"2cf2581cd2290ccef674f1be5f7977d66702eedb","versionType":"git"},{"lessThan":"56289298431ed76700b9aac27a3b1d929fe61b8d","status":"affected","version":"2cf2581cd2290ccef674f1be5f7977d66702eedb","versionType":"git"},{"lessThan":"fc086c0ce3db0eefbbeb66a5b1e626296336e33a","status":"affected","version":"2cf2581cd2290ccef674f1be5f7977d66702eedb","versionType":"git"},{"lessThan":"49c99dc247ebf7361db9dbdade3dcebfffaf2c22","status":"affected","version":"2cf2581cd2290ccef674f1be5f7977d66702eedb","versionType":"git"},{"lessThan":"87e4b043b98a1d269be0b812f383881abee0ca45","status":"affected","version":"2cf2581cd2290ccef674f1be5f7977d66702eedb","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["drivers/usb/cdns3/core.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"5.13"},{"lessThan":"5.13","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.203","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.167","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.130","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.77","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.14","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.4","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.203","versionStartIncluding":"5.13","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.167","versionStartIncluding":"5.13","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.130","versionStartIncluding":"5.13","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.77","versionStartIncluding":"5.13","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.14","versionStartIncluding":"5.13","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.4","versionStartIncluding":"5.13","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"5.13","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdns3: fix role switching during resume\n\nIf the role change while we are suspended, the cdns3 driver switches to the\nnew mode during resume. However, switching to host mode in this context\ncauses a NULL pointer dereference.\n\nThe host role's start() operation registers a xhci-hcd device, but its\nprobe is deferred while we are in the resume path. The host role's resume()\noperation assumes the xhci-hcd device is already probed, which is not the\ncase, leading to the dereference. Since the start() operation of the new\nrole is already called, the resume operation can be skipped.\n\nSo skip the resume operation for the new role if a role switch occurs\nduring resume. Once the resume sequence is complete, the xhci-hcd device\ncan be probed in case of host mode.\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000208\nMem abort info:\n...\nData abort info:\n...\n[0000000000000208] pgd=0000000000000000, p4d=0000000000000000\nInternal error: Oops: 0000000096000004 [#1]  SMP\nModules linked in:\nCPU: 0 UID: 0 PID: 146 Comm: sh Not tainted\n6.19.0-rc7-00013-g6e64f4aabfae-dirty #135 PREEMPT\nHardware name: Texas Instruments J7200 EVM (DT)\npstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : usb_hcd_is_primary_hcd+0x0/0x1c\nlr : cdns_host_resume+0x24/0x5c\n...\nCall trace:\n usb_hcd_is_primary_hcd+0x0/0x1c (P)\n cdns_resume+0x6c/0xbc\n cdns3_controller_resume.isra.0+0xe8/0x17c\n cdns3_plat_resume+0x18/0x24\n platform_pm_resume+0x2c/0x68\n dpm_run_callback+0x90/0x248\n device_resume+0x100/0x24c\n dpm_resume+0x190/0x2ec\n dpm_resume_end+0x18/0x34\n suspend_devices_and_enter+0x2b0/0xa44\n pm_suspend+0x16c/0x5fc\n state_store+0x80/0xec\n kobj_attr_store+0x18/0x2c\n sysfs_kf_write+0x7c/0x94\n kernfs_fop_write_iter+0x130/0x1dc\n vfs_write+0x240/0x370\n ksys_write+0x70/0x108\n __arm64_sys_write+0x1c/0x28\n invoke_syscall+0x48/0x10c\n el0_svc_common.constprop.0+0x40/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x34/0x108\n el0t_64_sync_handler+0xa0/0xe4\n el0t_64_sync+0x198/0x19c\nCode: 52800003 f9407ca5 d63f00a0 17ffffe4 (f9410401)\n---[ end trace 0000000000000000 ]---"}],"providerMetadata":{"dateUpdated":"2026-05-27T12:17:26.924Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/ff02bd303d2d78051771db51119d66c0cf442f47"},{"url":"https://git.kernel.org/stable/c/94c742614899ff18a6b3e6f3cfbe7b9f36c865f3"},{"url":"https://git.kernel.org/stable/c/d637f6ec149ffd2f8257bcc261561dc2e44dbb8c"},{"url":"https://git.kernel.org/stable/c/56289298431ed76700b9aac27a3b1d929fe61b8d"},{"url":"https://git.kernel.org/stable/c/fc086c0ce3db0eefbbeb66a5b1e626296336e33a"},{"url":"https://git.kernel.org/stable/c/49c99dc247ebf7361db9dbdade3dcebfffaf2c22"},{"url":"https://git.kernel.org/stable/c/87e4b043b98a1d269be0b812f383881abee0ca45"}],"title":"usb: cdns3: fix role switching during resume","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-45911","datePublished":"2026-05-27T12:17:26.924Z","dateReserved":"2026-05-13T15:03:33.084Z","dateUpdated":"2026-05-27T12:17:26.924Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-27 14:17:05","lastModifiedDate":"2026-05-27 14:48:31","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"45911","Ordinal":"1","Title":"usb: cdns3: fix role switching during resume","CVE":"CVE-2026-45911","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"45911","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdns3: fix role switching during resume\n\nIf the role change while we are suspended, the cdns3 driver switches to the\nnew mode during resume. However, switching to host mode in this context\ncauses a NULL pointer dereference.\n\nThe host role's start() operation registers a xhci-hcd device, but its\nprobe is deferred while we are in the resume path. The host role's resume()\noperation assumes the xhci-hcd device is already probed, which is not the\ncase, leading to the dereference. Since the start() operation of the new\nrole is already called, the resume operation can be skipped.\n\nSo skip the resume operation for the new role if a role switch occurs\nduring resume. Once the resume sequence is complete, the xhci-hcd device\ncan be probed in case of host mode.\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000208\nMem abort info:\n...\nData abort info:\n...\n[0000000000000208] pgd=0000000000000000, p4d=0000000000000000\nInternal error: Oops: 0000000096000004 [#1]  SMP\nModules linked in:\nCPU: 0 UID: 0 PID: 146 Comm: sh Not tainted\n6.19.0-rc7-00013-g6e64f4aabfae-dirty #135 PREEMPT\nHardware name: Texas Instruments J7200 EVM (DT)\npstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : usb_hcd_is_primary_hcd+0x0/0x1c\nlr : cdns_host_resume+0x24/0x5c\n...\nCall trace:\n usb_hcd_is_primary_hcd+0x0/0x1c (P)\n cdns_resume+0x6c/0xbc\n cdns3_controller_resume.isra.0+0xe8/0x17c\n cdns3_plat_resume+0x18/0x24\n platform_pm_resume+0x2c/0x68\n dpm_run_callback+0x90/0x248\n device_resume+0x100/0x24c\n dpm_resume+0x190/0x2ec\n dpm_resume_end+0x18/0x34\n suspend_devices_and_enter+0x2b0/0xa44\n pm_suspend+0x16c/0x5fc\n state_store+0x80/0xec\n kobj_attr_store+0x18/0x2c\n sysfs_kf_write+0x7c/0x94\n kernfs_fop_write_iter+0x130/0x1dc\n vfs_write+0x240/0x370\n ksys_write+0x70/0x108\n __arm64_sys_write+0x1c/0x28\n invoke_syscall+0x48/0x10c\n el0_svc_common.constprop.0+0x40/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x34/0x108\n el0t_64_sync_handler+0xa0/0xe4\n el0t_64_sync+0x198/0x19c\nCode: 52800003 f9407ca5 d63f00a0 17ffffe4 (f9410401)\n---[ end trace 0000000000000000 ]---","Type":"Description","Title":"usb: cdns3: fix role switching during resume"}]}}}