CVE-2026-43327

MEDIUM EPSS 0.8%
Published May 8, 20261mo ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published May 8, 2026 1mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: USB: dummy-hcd: Fix locking/synchronization error Syzbot testing was able to provoke an addressing exception and crash in the usb_gadget_udc_reset() routine in drivers/usb/gadgets/udc/core.c, resulting from the fact that the routine was called with a second ("driver") argument of NULL. The bad caller was set_link_state() in dummy_hcd.c, and the problem arose because of a race between a USB reset and driver unbind. These sorts of races were not supposed to be possible; commit 7dbd8f4cabd9 ("USB: dummy-hcd: Fix erroneous synchronization change"), along with a few followup commits, was written specifically to prevent them. As it turns out, there are (at least) two errors remaining in the code. Another patch will address the second error; this one is concerned with the first. The error responsible for the syzbot crash occurred because the stop_activity() routine will sometimes drop and then re-acquire the dum->lock spinlock. A call to stop_activity() occurs in set_link_state() when handling an emulated USB reset, after the test of dum->ints_enabled and before the increment of dum->callback_usage. This allowed another thread (doing a driver unbind) to sneak in and grab the spinlock, and then clear dum->ints_enabled and dum->driver. Normally this other thread would have to wait for dum->callback_usage to go down to 0 before it would clear dum->driver, but in this case it didn't have to wait since dum->callback_usage had not yet been incremented. The fix is to increment dum->callback_usage _before_ calling stop_activity() instead of after. Then the thread doing the unbind will not clear dum->driver until after the call to usb_gadget_udc_reset() safely returns and dum->callback_usage has been decremented again.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
0.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-667

Affected Products 19

VendorProductVersionRange
linuxlinux_kernel*≥3.2.97  –  <3.3
linuxlinux_kernel*≥3.16.52  –  <3.17
linuxlinux_kernel*≥4.1.46  –  <4.2
linuxlinux_kernel*≥4.4.92  –  <4.5
linuxlinux_kernel*≥4.9.55  –  <4.10
linuxlinux_kernel*≥4.14  –  <5.10.253
linuxlinux_kernel*≥5.11  –  <5.15.203
linuxlinux_kernel*≥5.16  –  <6.1.168
linuxlinux_kernel*≥6.2  –  <6.6.134
linuxlinux_kernel*≥6.7  –  <6.12.81
linuxlinux_kernel*≥6.13  –  <6.18.22
linuxlinux_kernel*≥6.19  –  <6.19.12
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any

References 8

  • git.kernel.org https://git.kernel.org/stable/c/218886b2ef2dea7627d3700ab0abaf4bf9d1161f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/616a63ff495df12863692ab3f9f7b84e3fa7a66d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6350c7dd33ab481ef41c931a238361490c32d15c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/69ab97a693251d6a6093e630060a3c744fd58524
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/791966f85b439b261bf19865cf1c07c065ffb4b4
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/805b1833d6ed6da5086e610578a28e71bb54fbbb
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/cc97fb5969177cccce2e23b31298df220fc7570d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/efbd9441f1e769a7aae1813d497cec09cbdff031
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/218886b2ef2dea7627d3700ab0abaf4bf9d1161f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/616a63ff495df12863692ab3f9f7b84e3fa7a66d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6350c7dd33ab481ef41c931a238361490c32d15c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/69ab97a693251d6a6093e630060a3c744fd58524
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/791966f85b439b261bf19865cf1c07c065ffb4b4
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/805b1833d6ed6da5086e610578a28e71bb54fbbb
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/cc97fb5969177cccce2e23b31298df220fc7570d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/efbd9441f1e769a7aae1813d497cec09cbdff031
    Patch