Skip to main content

Linux Kernel CVE-2026-43488

| EUVDEUVD-2026-30024 MEDIUM
2026-05-13 Linux GHSA-5x4m-q4p4-96j6
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local physical access with low privileges needed to hotplug a UAS device; availability-only impact from interrupt storm; no confidentiality or integrity effect.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 26, 2026 - 21:54 vuln.today
CVSS changed
Jun 26, 2026 - 19:37 NVD
5.5 (MEDIUM)
Patch available
May 13, 2026 - 16:33 EUVD
CVE Published
May 13, 2026 - 15:08 nvd
MEDIUM 5.5
CVE Published
May 13, 2026 - 15:08 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

usb: xhci: Prevent interrupt storm on host controller error (HCE)

The xHCI controller reports a Host Controller Error (HCE) in UAS Storage Device plug/unplug scenarios on Android devices. HCE is checked in xhci_irq() function and causes an interrupt storm (since the interrupt isn’t cleared), leading to severe system-level faults.

When the xHC controller reports HCE in the interrupt handler, the driver only logs a warning and assumes xHC activity will stop as stated in xHCI specification. An interrupt storm does however continue on some hosts even after HCE, and only ceases after manually disabling xHC interrupt and stopping the controller by calling xhci_halt().

Add xhci_halt() to xhci_irq() function where STS_HCE status is checked, mirroring the existing error handling pattern used for STS_FATAL errors.

This only fixes the interrupt storm. Proper HCE recovery requires resetting and re-initializing the xHC.

AnalysisAI

Interrupt storm vulnerability in the Linux kernel xHCI USB host controller driver allows a local user to cause a complete system availability loss by triggering a Host Controller Error (HCE) via UAS storage device hotplug events. Affected kernel versions prior to 6.6.130, 6.12.78, 6.18.19, 6.19.9, and 7.0 fail to invoke xhci_halt() when HCE is detected in xhci_irq(), leaving the interrupt uncleared and the controller running - resulting in a continuous interrupt storm. No public exploit has been identified and EPSS is 0.02% (5th percentile), consistent with the hardware-interaction-dependent trigger, but availability impact is high on affected hosts where USB ports are physically accessible.

Technical ContextAI

The vulnerability resides in the xHCI (eXtensible Host Controller Interface) USB host controller driver, specifically in the xhci_irq() interrupt service routine within the Linux kernel (CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*). When the xHC hardware asserts a Host Controller Error (STS_HCE status bit), the driver logs a warning and relies on the xHCI specification's assumption that controller activity will cease - but does not call xhci_halt() to programmatically stop the controller. On certain xHCI controller implementations, the hardware continues asserting the interrupt after HCE, and because the driver never clears or masks it, the system enters an unbreakable interrupt storm. The fix mirrors the existing STS_FATAL error handling pattern by adding xhci_halt() to the STS_HCE code path. The trigger is specifically the UAS (USB Attached SCSI) storage device plug/unplug scenario, reported on Android-based hosts. No CWE is formally assigned, but this is a logic/incomplete-error-handling flaw rather than a memory safety issue.

RemediationAI

The primary remediation is to upgrade to a patched Linux kernel version: 6.6.130, 6.12.78, 6.18.19, 6.19.9, or 7.0, with fix commits available at https://git.kernel.org/stable/c/b2dd9abf8c06cfcbcf242321fd54ae51a4807705 and the other referenced stable commits. For systems that cannot be immediately patched, blacklisting the UAS kernel module (adding 'blacklist uas' to /etc/modprobe.d/) prevents UAS-mode storage enumeration and eliminates the trigger condition - trade-off is that UAS-capable USB drives will fall back to the slower USB Mass Storage (BOT) protocol or may fail to enumerate entirely depending on device firmware. On systems where USB storage is not operationally needed, disabling the USB storage and UAS modules entirely ('blacklist usb_storage' and 'blacklist uas') provides a stronger compensating control with the obvious trade-off of disabling all USB mass storage. Physical port controls (port locks, BIOS USB disable) prevent the hotplug trigger entirely on fixed-use systems. No formal vendor advisory URL beyond upstream kernel stable commits has been identified.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected

Share

CVE-2026-43488 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy