CVE-2026-43324 (GCVE-0-2026-43324)
Vulnerability from cvelistv5 – Published: 2026-05-08 13:31 – Updated: 2026-05-11 22:22
VLAI
Title
USB: dummy-hcd: Fix interrupt synchronization error
Summary
In the Linux kernel, the following vulnerability has been resolved:
USB: dummy-hcd: Fix interrupt synchronization error
This fixes an error in synchronization in the dummy-hcd driver. The
error has a somewhat involved history. The synchronization mechanism
was introduced by commit 7dbd8f4cabd9 ("USB: dummy-hcd: Fix erroneous
synchronization change"), which added an emulated "interrupts enabled"
flag together with code emulating synchronize_irq() (it waits until
all current handler callbacks have returned).
But the emulated interrupt-disable occurred too late, after the driver
containing the handler callback routines had been told that it was
unbound and no more callbacks would occur. Commit 4a5d797a9f9c ("usb:
gadget: dummy_hcd: fix gpf in gadget_setup") tried to fix this by
moving the synchronize_irq() emulation code from dummy_stop() to
dummy_pullup(), which runs before the unbind callback.
There still were races, though, because the emulated interrupt-disable
still occurred too late. It couldn't be moved to dummy_pullup(),
because that routine can be called for reasons other than an impending
unbind. Therefore commits 7dc0c55e9f30 ("USB: UDC core: Add
udc_async_callbacks gadget op") and 04145a03db9d ("USB: UDC: Implement
udc_async_callbacks in dummy-hcd") added an API allowing the UDC core
to tell dummy-hcd exactly when emulated interrupts and their callbacks
should be disabled.
That brings us to the current state of things, which is still wrong
because the emulated synchronize_irq() occurs before the emulated
interrupt-disable! That's no good, beause it means that more emulated
interrupts can occur after the synchronize_irq() emulation has run,
leading to the possibility that a callback handler may be running when
the gadget driver is unbound.
To fix this, we have to move the synchronize_irq() emulation code yet
again, to the dummy_udc_async_callbacks() routine, which takes care of
enabling and disabling emulated interrupt requests. The
synchronization will now run immediately after emulated interrupts are
disabled, which is where it belongs.
Severity
7.8 (High)
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
04145a03db9d78469e0817ab3a767c76c0fb0947 , < d847f375b1bcea713143bc02720d13d2d01b012a
(git)
Affected: 04145a03db9d78469e0817ab3a767c76c0fb0947 , < cbf7df5e5d27cd5bea92ee9a75a4b28dbcc718d4 (git) Affected: 04145a03db9d78469e0817ab3a767c76c0fb0947 , < 5aa776c8615bea3b1eaeec87b0788375800ead4f (git) Affected: 04145a03db9d78469e0817ab3a767c76c0fb0947 , < 94d4fab1dd9e64f45449bcc7d6a5acf796b13015 (git) Affected: 04145a03db9d78469e0817ab3a767c76c0fb0947 , < 5687a09776069bd915560021c9728ca528440128 (git) Affected: 04145a03db9d78469e0817ab3a767c76c0fb0947 , < 8bcd80219d8e10e660bf29b20e41bb8beb4e4cb7 (git) Affected: 04145a03db9d78469e0817ab3a767c76c0fb0947 , < 2ca9e46f8f1f5a297eb0ac83f79d35d5b3a02541 (git) |
|
| Linux | Linux |
Affected:
5.14
Unaffected: 0 , < 5.14 (semver) Unaffected: 5.15.203 , ≤ 5.15.* (semver) Unaffected: 6.1.168 , ≤ 6.1.* (semver) Unaffected: 6.6.134 , ≤ 6.6.* (semver) Unaffected: 6.12.81 , ≤ 6.12.* (semver) Unaffected: 6.18.22 , ≤ 6.18.* (semver) Unaffected: 6.19.12 , ≤ 6.19.* (semver) Unaffected: 7.0 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/udc/dummy_hcd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d847f375b1bcea713143bc02720d13d2d01b012a",
"status": "affected",
"version": "04145a03db9d78469e0817ab3a767c76c0fb0947",
"versionType": "git"
},
{
"lessThan": "cbf7df5e5d27cd5bea92ee9a75a4b28dbcc718d4",
"status": "affected",
"version": "04145a03db9d78469e0817ab3a767c76c0fb0947",
"versionType": "git"
},
{
"lessThan": "5aa776c8615bea3b1eaeec87b0788375800ead4f",
"status": "affected",
"version": "04145a03db9d78469e0817ab3a767c76c0fb0947",
"versionType": "git"
},
{
"lessThan": "94d4fab1dd9e64f45449bcc7d6a5acf796b13015",
"status": "affected",
"version": "04145a03db9d78469e0817ab3a767c76c0fb0947",
"versionType": "git"
},
{
"lessThan": "5687a09776069bd915560021c9728ca528440128",
"status": "affected",
"version": "04145a03db9d78469e0817ab3a767c76c0fb0947",
"versionType": "git"
},
{
"lessThan": "8bcd80219d8e10e660bf29b20e41bb8beb4e4cb7",
"status": "affected",
"version": "04145a03db9d78469e0817ab3a767c76c0fb0947",
"versionType": "git"
},
{
"lessThan": "2ca9e46f8f1f5a297eb0ac83f79d35d5b3a02541",
"status": "affected",
"version": "04145a03db9d78469e0817ab3a767c76c0fb0947",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/udc/dummy_hcd.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.14",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: dummy-hcd: Fix interrupt synchronization error\n\nThis fixes an error in synchronization in the dummy-hcd driver. The\nerror has a somewhat involved history. The synchronization mechanism\nwas introduced by commit 7dbd8f4cabd9 (\"USB: dummy-hcd: Fix erroneous\nsynchronization change\"), which added an emulated \"interrupts enabled\"\nflag together with code emulating synchronize_irq() (it waits until\nall current handler callbacks have returned).\n\nBut the emulated interrupt-disable occurred too late, after the driver\ncontaining the handler callback routines had been told that it was\nunbound and no more callbacks would occur. Commit 4a5d797a9f9c (\"usb:\ngadget: dummy_hcd: fix gpf in gadget_setup\") tried to fix this by\nmoving the synchronize_irq() emulation code from dummy_stop() to\ndummy_pullup(), which runs before the unbind callback.\n\nThere still were races, though, because the emulated interrupt-disable\nstill occurred too late. It couldn\u0027t be moved to dummy_pullup(),\nbecause that routine can be called for reasons other than an impending\nunbind. Therefore commits 7dc0c55e9f30 (\"USB: UDC core: Add\nudc_async_callbacks gadget op\") and 04145a03db9d (\"USB: UDC: Implement\nudc_async_callbacks in dummy-hcd\") added an API allowing the UDC core\nto tell dummy-hcd exactly when emulated interrupts and their callbacks\nshould be disabled.\n\nThat brings us to the current state of things, which is still wrong\nbecause the emulated synchronize_irq() occurs before the emulated\ninterrupt-disable! That\u0027s no good, beause it means that more emulated\ninterrupts can occur after the synchronize_irq() emulation has run,\nleading to the possibility that a callback handler may be running when\nthe gadget driver is unbound.\n\nTo fix this, we have to move the synchronize_irq() emulation code yet\nagain, to the dummy_udc_async_callbacks() routine, which takes care of\nenabling and disabling emulated interrupt requests. The\nsynchronization will now run immediately after emulated interrupts are\ndisabled, which is where it belongs."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T22:22:21.856Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d847f375b1bcea713143bc02720d13d2d01b012a"
},
{
"url": "https://git.kernel.org/stable/c/cbf7df5e5d27cd5bea92ee9a75a4b28dbcc718d4"
},
{
"url": "https://git.kernel.org/stable/c/5aa776c8615bea3b1eaeec87b0788375800ead4f"
},
{
"url": "https://git.kernel.org/stable/c/94d4fab1dd9e64f45449bcc7d6a5acf796b13015"
},
{
"url": "https://git.kernel.org/stable/c/5687a09776069bd915560021c9728ca528440128"
},
{
"url": "https://git.kernel.org/stable/c/8bcd80219d8e10e660bf29b20e41bb8beb4e4cb7"
},
{
"url": "https://git.kernel.org/stable/c/2ca9e46f8f1f5a297eb0ac83f79d35d5b3a02541"
}
],
"title": "USB: dummy-hcd: Fix interrupt synchronization error",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43324",
"datePublished": "2026-05-08T13:31:08.850Z",
"dateReserved": "2026-05-01T14:12:56.002Z",
"dateUpdated": "2026-05-11T22:22:21.856Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-43324",
"date": "2026-05-29",
"epss": "0.00013",
"percentile": "0.02518"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-43324\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-08T14:16:41.060\",\"lastModified\":\"2026-05-15T18:14:11.503\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nUSB: dummy-hcd: Fix interrupt synchronization error\\n\\nThis fixes an error in synchronization in the dummy-hcd driver. The\\nerror has a somewhat involved history. The synchronization mechanism\\nwas introduced by commit 7dbd8f4cabd9 (\\\"USB: dummy-hcd: Fix erroneous\\nsynchronization change\\\"), which added an emulated \\\"interrupts enabled\\\"\\nflag together with code emulating synchronize_irq() (it waits until\\nall current handler callbacks have returned).\\n\\nBut the emulated interrupt-disable occurred too late, after the driver\\ncontaining the handler callback routines had been told that it was\\nunbound and no more callbacks would occur. Commit 4a5d797a9f9c (\\\"usb:\\ngadget: dummy_hcd: fix gpf in gadget_setup\\\") tried to fix this by\\nmoving the synchronize_irq() emulation code from dummy_stop() to\\ndummy_pullup(), which runs before the unbind callback.\\n\\nThere still were races, though, because the emulated interrupt-disable\\nstill occurred too late. It couldn\u0027t be moved to dummy_pullup(),\\nbecause that routine can be called for reasons other than an impending\\nunbind. Therefore commits 7dc0c55e9f30 (\\\"USB: UDC core: Add\\nudc_async_callbacks gadget op\\\") and 04145a03db9d (\\\"USB: UDC: Implement\\nudc_async_callbacks in dummy-hcd\\\") added an API allowing the UDC core\\nto tell dummy-hcd exactly when emulated interrupts and their callbacks\\nshould be disabled.\\n\\nThat brings us to the current state of things, which is still wrong\\nbecause the emulated synchronize_irq() occurs before the emulated\\ninterrupt-disable! That\u0027s no good, beause it means that more emulated\\ninterrupts can occur after the synchronize_irq() emulation has run,\\nleading to the possibility that a callback handler may be running when\\nthe gadget driver is unbound.\\n\\nTo fix this, we have to move the synchronize_irq() emulation code yet\\nagain, to the dummy_udc_async_callbacks() routine, which takes care of\\nenabling and disabling emulated interrupt requests. The\\nsynchronization will now run immediately after emulated interrupts are\\ndisabled, which is where it belongs.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.14\",\"versionEndExcluding\":\"5.15.203\",\"matchCriteriaId\":\"D6A985A0-96A3-4E0A-B271-C7200F325EF1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"6.1.168\",\"matchCriteriaId\":\"E2DDDCA1-6DAB-4018-B920-8F045DDD8D3B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.134\",\"matchCriteriaId\":\"F56F925B-BAF8-4F4B-B62F-1496AF19A307\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.12.81\",\"matchCriteriaId\":\"6EF80433-B33B-43C5-8E64-0FA7B8DCE1BC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13\",\"versionEndExcluding\":\"6.18.22\",\"matchCriteriaId\":\"C9DF8BCE-36D3-475D-9D21-19E4F02F9029\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.19\",\"versionEndExcluding\":\"6.19.12\",\"matchCriteriaId\":\"0A2B9540-02D5-41B4-B16A-82AF66FD4F36\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"F253B622-8837-4245-BCE5-A7BF8FC76A16\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"F666C8D8-6538-46D4-B318-87610DE64C34\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"02259FDA-961B-47BC-AE7F-93D7EC6E90C2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*\",\"matchCriteriaId\":\"1D2315C0-D46F-4F85-9754-F9E5E11374A6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*\",\"matchCriteriaId\":\"512EE3A8-A590-4501-9A94-5D4B268D6138\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/2ca9e46f8f1f5a297eb0ac83f79d35d5b3a02541\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/5687a09776069bd915560021c9728ca528440128\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/5aa776c8615bea3b1eaeec87b0788375800ead4f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/8bcd80219d8e10e660bf29b20e41bb8beb4e4cb7\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/94d4fab1dd9e64f45449bcc7d6a5acf796b13015\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/cbf7df5e5d27cd5bea92ee9a75a4b28dbcc718d4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/d847f375b1bcea713143bc02720d13d2d01b012a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…