Skip to main content

Linux Kernel EUVDEUVD-2026-28611

| CVE-2026-43327 MEDIUM
Improper Locking (CWE-667)
2026-05-08 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-mhgr-c53r-gx3p
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 15, 2026 - 18:07 vuln.today
CVSS changed
May 15, 2026 - 18:07 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 15:02 EUVD
CVE Published
May 08, 2026 - 14:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

USB: dummy-hcd: Fix locking/synchronization error

Syzbot testing was able to provoke an addressing exception and crash in the usb_gadget_udc_reset() routine in drivers/usb/gadgets/udc/core.c, resulting from the fact that the routine was called with a second ("driver") argument of NULL. The bad caller was set_link_state() in dummy_hcd.c, and the problem arose because of a race between a USB reset and driver unbind.

These sorts of races were not supposed to be possible; commit 7dbd8f4cabd9 ("USB: dummy-hcd: Fix erroneous synchronization change"), along with a few followup commits, was written specifically to prevent them. As it turns out, there are (at least) two errors remaining in the code. Another patch will address the second error; this one is concerned with the first.

The error responsible for the syzbot crash occurred because the stop_activity() routine will sometimes drop and then re-acquire the dum->lock spinlock. A call to stop_activity() occurs in set_link_state() when handling an emulated USB reset, after the test of dum->ints_enabled and before the increment of dum->callback_usage. This allowed another thread (doing a driver unbind) to sneak in and grab the spinlock, and then clear dum->ints_enabled and dum->driver. Normally this other thread would have to wait for dum->callback_usage to go down to 0 before it would clear dum->driver, but in this case it didn't have to wait since dum->callback_usage had not yet been incremented.

The fix is to increment dum->callback_usage _before_ calling stop_activity() instead of after. Then the thread doing the unbind will not clear dum->driver until after the call to usb_gadget_udc_reset() safely returns and dum->callback_usage has been decremented again.

AnalysisAI

Race condition in Linux kernel's dummy-hcd USB gadget driver causes kernel crash and denial of service when USB reset occurs simultaneously with driver unbind. Syzbot testing triggered NULL pointer dereference in usb_gadget_udc_reset() due to improper spinlock handling in stop_activity() that allowed dum->driver to be cleared prematurely. Vendor patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (7th percentile) suggests very low observed exploitation probability. Not listed in CISA KEV, indicating no confirmed active exploitation.

Technical ContextAI

The dummy-hcd driver (drivers/usb/gadgets/udc/dummy_hcd.c) provides a virtual USB host controller for testing USB gadget drivers. This vulnerability stems from CWE-667 (Improper Locking) in the synchronization mechanism protecting critical data structures during USB reset and driver unbind operations. The stop_activity() function temporarily releases and reacquires the dum->lock spinlock, creating a race window. The dum->callback_usage counter was intended to prevent driver structure teardown during active callbacks per commit 7dbd8f4cabd9, but the increment occurred after stop_activity() rather than before, allowing another thread to bypass the protection. When set_link_state() calls stop_activity() after checking dum->ints_enabled but before incrementing dum->callback_usage, a concurrent unbind thread can clear dum->driver, resulting in NULL pointer dereference when usb_gadget_udc_reset() is subsequently called. The CPE data confirms this affects the mainline Linux kernel across multiple stable branches from 4.14 through 7.0, with fixes backported to long-term support versions.

RemediationAI

Upgrade to patched Linux kernel versions: 5.10.253+ for 5.10.x series, 5.15.203+ for 5.15.x, 6.1.168+ for 6.1.x, 6.6.134+ for 6.6.x, 6.12.81+ for 6.12.x, 6.18.22+ for 6.18.x, 6.19.12+ for 6.19.x, or 7.0+ for mainline. Patches available from git.kernel.org stable repository with commit hashes listed in references. Systems not using USB gadget functionality can mitigate by unloading or blacklisting the dummy_hcd kernel module (modprobe -r dummy_hcd, then add 'blacklist dummy_hcd' to /etc/modprobe.d/blacklist.conf), though this prevents legitimate USB gadget testing workflows. For embedded devices where USB gadget mode is required but dummy-hcd is not, ensure only necessary USB gadget drivers are loaded. Note that disabling the dummy-hcd module has no functional impact on production systems as this driver exists solely for development/testing purposes. No service restart required after module blacklisting beyond initial unload, but kernel upgrade requires reboot. Consult distribution-specific security advisories for backported patches in enterprise Linux distributions (RHEL, SLES, Ubuntu LTS).

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-28611 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy