CVE-2026-43431

xhci: Fix NULL pointer dereference when reading portli debugfs files

Assigner: Linux
Reserved: 01.05.2026 Published: 08.05.2026 Updated: 08.05.2026

In the Linux kernel, the following vulnerability has been resolved:

xhci: Fix NULL pointer dereference when reading portli debugfs files

Michal reported and debgged a NULL pointer dereference bug in the recently added portli debugfs files

Oops is caused when there are more port registers counted in xhci->max_ports than ports reported by Supported Protocol capabilities. This is possible if max_ports is more than maximum port number, or if there are gaps between ports of different speeds the 'Supported Protocol' capabilities.

In such cases port->rhub will be NULL so we can't reach xhci behind it. Add an explicit NULL check for this case, and print portli in hex without dereferencing port->rhub.

Product Status

Vendor	Linux
Product	Linux
Versions	Default: unaffected affected from 384c57ec720597f8104f69082cdd261abb998b80 to 9c8bef223c6e991276188d30d74bdb2cbd8be652 (excl.) affected from 384c57ec720597f8104f69082cdd261abb998b80 to ae4ff9dead5efa2025eddfcdb29411432bf40a7c (excl.)

Vendor

Linux

Product

Linux

Versions

Default: unaffected

affected from 384c57ec720597f8104f69082cdd261abb998b80 to 9c8bef223c6e991276188d30d74bdb2cbd8be652 (excl.)
affected from 384c57ec720597f8104f69082cdd261abb998b80 to ae4ff9dead5efa2025eddfcdb29411432bf40a7c (excl.)

Vendor	Linux
Product	Linux
Versions	Default: affected Version 6.19 is affected unaffected from 0 to 6.19 (excl.) unaffected from 6.19.9 to 6.19.* (incl.) unaffected from 7.0 to * (incl.)

Vendor

Linux

Product

Linux

Versions

Default: affected

Version 6.19 is affected
unaffected from 0 to 6.19 (excl.)
unaffected from 6.19.9 to 6.19.* (incl.)
unaffected from 7.0 to * (incl.)

References

CVE-2026-43431 PUBLISHED

xhci: Fix NULL pointer dereference when reading portli debugfs files

Product Status

References