Skip to main content

Linux Kernel CVE-2026-43431

| EUVDEUVD-2026-28737 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-08 Linux GHSA-q7mh-rc36-3j7h
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 20, 2026 - 18:24 vuln.today
CVSS changed
May 20, 2026 - 18:22 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:22 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

xhci: Fix NULL pointer dereference when reading portli debugfs files

Michal reported and debgged a NULL pointer dereference bug in the recently added portli debugfs files

Oops is caused when there are more port registers counted in xhci->max_ports than ports reported by Supported Protocol capabilities. This is possible if max_ports is more than maximum port number, or if there are gaps between ports of different speeds the 'Supported Protocol' capabilities.

In such cases port->rhub will be NULL so we can't reach xhci behind it. Add an explicit NULL check for this case, and print portli in hex without dereferencing port->rhub.

AnalysisAI

NULL pointer dereference in the Linux kernel's xhci USB host controller debugfs interface allows a local low-privileged user to crash the kernel (denial of service) by reading portli debugfs files. The flaw surfaces when xhci's max_ports count exceeds the number of ports covered by Supported Protocol capabilities - producing NULL rhub pointers - which the portli read handler dereferences without checking. No public exploit has been identified and EPSS is 0.02% (5th percentile), indicating negligible broad exploitation interest; the vulnerability is not listed in CISA KEV.

Technical ContextAI

The affected code resides in the xhci (Extensible Host Controller Interface) USB driver's recently added portli (Port Link Info) debugfs file handler. Port-to-root-hub (rhub) assignments are derived from 'Supported Protocol' Extended Capability structures in the xHCI register set, while max_ports is calculated from a separate register. When these two values diverge - either because max_ports is larger than the highest port number assigned by any capability, or because speed-group gaps leave certain port indices unassigned - the corresponding entries in the kernel's port array carry a NULL rhub pointer. The debugfs read path for portli blindly dereferences port->rhub to reach the parent xhci_hcd structure without a prior NULL guard, triggering CWE-476 (NULL Pointer Dereference) and producing a kernel Oops. The CPE string cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:* confirms the affected component is the mainline Linux kernel.

RemediationAI

The primary fix is to upgrade to Linux 6.19.9 or apply the two upstream stable commits (9c8bef223c6e991276188d30d74bdb2cbd8be652 and ae4ff9dead5efa2025eddfcdb29411432bf40a7c) published at https://git.kernel.org/stable/c/9c8bef223c6e991276188d30d74bdb2cbd8be652 and https://git.kernel.org/stable/c/ae4ff9dead5efa2025eddfcdb29411432bf40a7c; distribution vendors should incorporate these into their next stable kernel update. As a compensating control prior to patching, unmounting debugfs ('umount /sys/kernel/debug') prevents any local user from reaching the vulnerable portli files, though this disables all debugfs-based diagnostic tooling including perf, tracing, and driver debug interfaces - acceptable in production environments but disruptive on developer or diagnostic systems. A more targeted alternative is to restrict read permissions on /sys/kernel/debug/xhci/ to root only via udev rules or systemd-tmpfiles, limiting exposure to privileged users only while preserving debugfs availability for administrative tasks.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43431 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy