Skip to main content

Linux Kernel CVE-2026-43426

| EUVDEUVD-2026-28732 HIGH
Use After Free (CWE-416)
2026-05-08 Linux GHSA-6vj2-gjw9-6mgj
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 20, 2026 - 18:37 vuln.today
CVSS changed
May 20, 2026 - 18:37 NVD
7.8 (HIGH)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:21 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

usb: renesas_usbhs: fix use-after-free in ISR during device removal

In usbhs_remove(), the driver frees resources (including the pipe array) while the interrupt handler (usbhs_interrupt) is still registered. If an interrupt fires after usbhs_pipe_remove() but before the driver is fully unbound, the ISR may access freed memory, causing a use-after-free.

Fix this by calling devm_free_irq() before freeing resources. This ensures the interrupt handler is both disabled and synchronized (waits for any running ISR to complete) before usbhs_pipe_remove() is called.

AnalysisAI

Use-after-free in the Linux kernel's Renesas USB host (renesas_usbhs) driver allows a local low-privileged attacker to potentially corrupt memory or escalate privileges during device removal. The flaw stems from the interrupt handler remaining registered while driver resources, including the pipe array, are freed in usbhs_remove(), creating a race window where the ISR can dereference freed memory. EPSS is very low (0.02%, 7th percentile) and no public exploit identified at time of analysis, but the kernel-level memory corruption impact (CVSS 7.8) makes it a meaningful local risk on affected Renesas USB hardware.

Technical ContextAI

The vulnerability sits in drivers/usb/renesas_usbhs, the host controller driver for Renesas USB IP blocks (commonly found on SH-Mobile, R-Car, and RZ-series SoCs). The CWE-416 (Use-After-Free) root cause is a classic teardown ordering bug: usbhs_remove() invokes usbhs_pipe_remove() to free the pipe array before calling devm_free_irq() to unregister the usbhs_interrupt handler. Because devm_free_irq() also synchronizes with any in-flight ISR (waits for it to complete), invoking it after resource cleanup leaves a window where a hardware-triggered interrupt during driver unbind reads pipe structures whose backing memory has already been released, leading to undefined behavior in kernel context. The fix simply reorders the teardown to free the IRQ first.

RemediationAI

Apply the vendor-released patch by upgrading to a fixed stable kernel: 5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, or mainline 7.0 or later, depending on which stable branch you track. The upstream fix commits are available at https://git.kernel.org/stable/c/c7012fc73dab4829404fedeeaa8531f12ac8545f and the related stable backports listed in the references. If patching is not immediately feasible on embedded Renesas hardware where kernel updates are gated by the SoC vendor BSP, compensating controls are limited: blacklist the renesas_usbhs module via /etc/modprobe.d if the controller is not required (trade-off: disables USB on that interface entirely), restrict USB device bind/unbind operations to root by tightening udev rules and removing user write access to /sys/bus/usb/drivers/*/unbind (trade-off: may break hot-plug workflows), and limit physical access to USB ports to reduce attacker-induced removal events.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43426 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy