Skip to main content

Linux Kernel CVE-2026-43432

| EUVDEUVD-2026-28738 MEDIUM
Memory Leak (CWE-401)
2026-05-08 Linux GHSA-h4qw-x67f-352p
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 20, 2026 - 18:24 vuln.today
CVSS changed
May 20, 2026 - 18:22 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:22 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

usb: xhci: Fix memory leak in xhci_disable_slot()

xhci_alloc_command() allocates a command structure and, when the second argument is true, also allocates a completion structure. Currently, the error handling path in xhci_disable_slot() only frees the command structure using kfree(), causing the completion structure to leak.

Use xhci_free_command() instead of kfree(). xhci_free_command() correctly frees both the command structure and the associated completion structure. Since the command structure is allocated with zero-initialization, command->in_ctx is NULL and will not be erroneously freed by xhci_free_command().

This bug was found using an experimental static analysis tool we are developing. The tool is based on the LLVM framework and is specifically designed to detect memory management issues. It is currently under active development and not yet publicly available, but we plan to open-source it after our research is published.

The bug was originally detected on v6.13-rc1 using our static analysis tool, and we have verified that the issue persists in the latest mainline kernel.

We performed build testing on x86_64 with allyesconfig using GCC=11.4.0. Since triggering these error paths in xhci_disable_slot() requires specific hardware conditions or abnormal state, we were unable to construct a test case to reliably trigger these specific error paths at runtime.

AnalysisAI

Memory leak in the Linux kernel xHCI USB host controller driver's xhci_disable_slot() function causes kernel memory exhaustion under error conditions, leading to denial of service. Affected kernels span multiple stable branches from the introduction commit through versions before 5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, and 7.0. A local low-privileged user who can trigger USB xHCI slot disable error paths - requiring specific hardware fault conditions - could accumulate kernel memory leaks over time, ultimately causing system instability. No public exploit identified at time of analysis; EPSS is 0.03% (9th percentile), reflecting negligible real-world exploitation likelihood.

Technical ContextAI

The vulnerability resides in the xHCI (Extensible Host Controller Interface) USB driver (drivers/usb/host/xhci.c) within the Linux kernel. xhci_alloc_command() accepts a boolean second argument that, when true, allocates an additional kernel completion structure alongside the base command structure. The error handling path in xhci_disable_slot() used kfree() to release only the outer command structure, leaving the separately allocated completion structure unfreed - a textbook CWE-401 (Missing Release of Memory after Effective Lifetime) defect. The fix replaces the bare kfree() call with xhci_free_command(), which correctly deallocates both structures; the zero-initialized command->in_ctx field ensures xhci_free_command() does not erroneously attempt to free an unrelated input context. The bug was identified via static analysis on v6.13-rc1 using an LLVM-based research tool and confirmed to persist in mainline. CPE string cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:* covers all affected kernel versions within the vulnerable commit range.

RemediationAI

Upgrade to the appropriate patched Linux kernel stable release for your branch: 5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, or 7.0. Upstream fix commits are available at https://git.kernel.org/stable/c/1e800e26d54ccf2ddf2ea6d6cbe021c804d8aa62, https://git.kernel.org/stable/c/807e4fb5140c73eb5dba1e399a990db5c1f3cdf8, https://git.kernel.org/stable/c/46aea90763832cd6e9b0c2e1c00e6a9512156d4b, https://git.kernel.org/stable/c/2e2baa8fb5aa4d080cbfeb84c51eff797529f413, https://git.kernel.org/stable/c/c65f1b840ab8ce72ba68f1b63bab7960f8fdfa89, https://git.kernel.org/stable/c/078b446efc0f5e496c31bccb72b98af979963a83, https://git.kernel.org/stable/c/c1c8550e70401159184130a1afc6261db01fc0ce, and https://git.kernel.org/stable/c/6288baf0c8c4dcfbf206773aede9c1f2269cec28. If patching is deferred, restrict USB device attachment to trusted hardware to reduce error-path exposure, and limit local user privileges - neither fully mitigates the leak but reduces the opportunity surface. Given that the error paths require hardware fault conditions, risk without patching is low in stable hardware environments.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43432 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy