Skip to main content

Linux Kernel CVE-2026-43324

| EUVDEUVD-2026-28608 HIGH
2026-05-08 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-4f56-4jhm-5934
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 11, 2026 - 08:23 vuln.today
CVSS changed
May 11, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
May 08, 2026 - 15:02 EUVD
CVE Published
May 08, 2026 - 14:16 nvd
HIGH 7.8
CVE Published
May 08, 2026 - 14:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

USB: dummy-hcd: Fix interrupt synchronization error

This fixes an error in synchronization in the dummy-hcd driver. The error has a somewhat involved history. The synchronization mechanism was introduced by commit 7dbd8f4cabd9 ("USB: dummy-hcd: Fix erroneous synchronization change"), which added an emulated "interrupts enabled" flag together with code emulating synchronize_irq() (it waits until all current handler callbacks have returned).

But the emulated interrupt-disable occurred too late, after the driver containing the handler callback routines had been told that it was unbound and no more callbacks would occur. Commit 4a5d797a9f9c ("usb: gadget: dummy_hcd: fix gpf in gadget_setup") tried to fix this by moving the synchronize_irq() emulation code from dummy_stop() to dummy_pullup(), which runs before the unbind callback.

There still were races, though, because the emulated interrupt-disable still occurred too late. It couldn't be moved to dummy_pullup(), because that routine can be called for reasons other than an impending unbind. Therefore commits 7dc0c55e9f30 ("USB: UDC core: Add udc_async_callbacks gadget op") and 04145a03db9d ("USB: UDC: Implement udc_async_callbacks in dummy-hcd") added an API allowing the UDC core to tell dummy-hcd exactly when emulated interrupts and their callbacks should be disabled.

That brings us to the current state of things, which is still wrong because the emulated synchronize_irq() occurs before the emulated interrupt-disable! That's no good, beause it means that more emulated interrupts can occur after the synchronize_irq() emulation has run, leading to the possibility that a callback handler may be running when the gadget driver is unbound.

To fix this, we have to move the synchronize_irq() emulation code yet again, to the dummy_udc_async_callbacks() routine, which takes care of enabling and disabling emulated interrupt requests. The synchronization will now run immediately after emulated interrupts are disabled, which is where it belongs.

AnalysisAI

Race condition in the Linux kernel's dummy-hcd USB driver allows local authenticated users to trigger use-after-free conditions during gadget driver unbinding, potentially enabling privilege escalation, information disclosure, or denial of service. The flaw stems from incorrect ordering of interrupt synchronization - emulated synchronize_irq() runs before interrupt-disable, allowing callbacks to execute after the gadget driver is unbound. Patched versions include 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, and mainline 7.0. EPSS score of 0.02% (7th percentile) indicates very low probability of exploitation in the wild, with no confirmed active exploitation or public POC identified at time of analysis.

Technical ContextAI

This vulnerability affects the dummy-hcd driver, a software-emulated USB host controller used primarily for testing and development of USB gadget drivers in the Linux kernel. The driver emulates hardware interrupts in software, requiring careful synchronization during gadget driver unbinding. The root cause is a timing flaw in the interrupt synchronization mechanism where synchronize_irq() emulation executes before the emulated interrupt-disable flag is set in the dummy_udc_async_callbacks() routine. This violates the fundamental principle that interrupt synchronization must occur after interrupts are disabled to ensure no new callbacks are queued. The flawed sequence creates a window where interrupt callbacks can execute after the gadget driver's unbind routine has completed, leading to use-after-free conditions when callback handlers reference freed driver data structures. The vulnerability was introduced by commit 04145a03db9d and affects all kernel versions from 5.14 onwards until patched. The fix relocates the synchronize_irq() emulation to run immediately after interrupt-disable within dummy_udc_async_callbacks(), closing the race window.

RemediationAI

Upgrade to patched Linux kernel versions: 5.15.203 or later for 5.15.x LTS branch, 6.1.168+ for 6.1.x LTS, 6.6.134+ for 6.6.x stable, 6.12.81+ for 6.12.x, 6.18.22+ for 6.18.x, 6.19.12+ for 6.19.x, or mainline 7.0+. Patch details and source commits are available at https://git.kernel.org/stable/ with commit IDs listed in NVD references. For systems where immediate kernel upgrade is not feasible, workaround options include: (1) unload or blacklist the dummy_hcd kernel module if not required - add 'blacklist dummy_hcd' to /etc/modprobe.d/blacklist.conf and rebuild initramfs, noting this disables USB gadget emulation functionality used primarily in development environments; (2) restrict loading of USB gadget modules to privileged users only through kernel module signing enforcement and module loading restrictions in /etc/modprobe.d/, though this requires kernel built with CONFIG_MODULE_SIG_FORCE; (3) apply namespace restrictions using user namespaces to limit which users can trigger USB gadget operations, configured via sysctl kernel.unprivileged_userns_clone=0 on distributions supporting this control, which may break containerized workloads. Production systems not using USB gadget functionality (the typical case for servers and desktops) face minimal operational impact from unloading dummy_hcd. Development and embedded systems requiring USB gadget emulation should prioritize the kernel upgrade path as compensating controls significantly impair required functionality.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43324 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy