CVE-2026-43324

Source
https://cve.org/CVERecord?id=CVE-2026-43324
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43324.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-43324
Downstream
Published
2026-05-08T13:31:08.850Z
Modified
2026-07-08T08:13:29.673114939Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
USB: dummy-hcd: Fix interrupt synchronization error
Details

In the Linux kernel, the following vulnerability has been resolved:

USB: dummy-hcd: Fix interrupt synchronization error

This fixes an error in synchronization in the dummy-hcd driver. The error has a somewhat involved history. The synchronization mechanism was introduced by commit 7dbd8f4cabd9 ("USB: dummy-hcd: Fix erroneous synchronization change"), which added an emulated "interrupts enabled" flag together with code emulating synchronize_irq() (it waits until all current handler callbacks have returned).

But the emulated interrupt-disable occurred too late, after the driver containing the handler callback routines had been told that it was unbound and no more callbacks would occur. Commit 4a5d797a9f9c ("usb: gadget: dummyhcd: fix gpf in gadgetsetup") tried to fix this by moving the synchronizeirq() emulation code from dummystop() to dummy_pullup(), which runs before the unbind callback.

There still were races, though, because the emulated interrupt-disable still occurred too late. It couldn't be moved to dummypullup(), because that routine can be called for reasons other than an impending unbind. Therefore commits 7dc0c55e9f30 ("USB: UDC core: Add udcasynccallbacks gadget op") and 04145a03db9d ("USB: UDC: Implement udcasync_callbacks in dummy-hcd") added an API allowing the UDC core to tell dummy-hcd exactly when emulated interrupts and their callbacks should be disabled.

That brings us to the current state of things, which is still wrong because the emulated synchronizeirq() occurs before the emulated interrupt-disable! That's no good, beause it means that more emulated interrupts can occur after the synchronizeirq() emulation has run, leading to the possibility that a callback handler may be running when the gadget driver is unbound.

To fix this, we have to move the synchronizeirq() emulation code yet again, to the dummyudcasynccallbacks() routine, which takes care of enabling and disabling emulated interrupt requests. The synchronization will now run immediately after emulated interrupts are disabled, which is where it belongs.

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43324.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
04145a03db9d78469e0817ab3a767c76c0fb0947
Fixed
d847f375b1bcea713143bc02720d13d2d01b012a
Fixed
cbf7df5e5d27cd5bea92ee9a75a4b28dbcc718d4
Fixed
5aa776c8615bea3b1eaeec87b0788375800ead4f
Fixed
94d4fab1dd9e64f45449bcc7d6a5acf796b13015
Fixed
5687a09776069bd915560021c9728ca528440128
Fixed
8bcd80219d8e10e660bf29b20e41bb8beb4e4cb7
Fixed
2ca9e46f8f1f5a297eb0ac83f79d35d5b3a02541

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43324.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.14.0
Fixed
5.15.203
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.168
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.134
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.81
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.22
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.12

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43324.json"