CVE-2026-43324 (GCVE-0-2026-43324)

Vulnerability from cvelistv5 – Published: 2026-05-08 13:31 – Updated: 2026-05-08 13:31
VLAI?
Title
USB: dummy-hcd: Fix interrupt synchronization error
Summary
In the Linux kernel, the following vulnerability has been resolved: USB: dummy-hcd: Fix interrupt synchronization error This fixes an error in synchronization in the dummy-hcd driver. The error has a somewhat involved history. The synchronization mechanism was introduced by commit 7dbd8f4cabd9 ("USB: dummy-hcd: Fix erroneous synchronization change"), which added an emulated "interrupts enabled" flag together with code emulating synchronize_irq() (it waits until all current handler callbacks have returned). But the emulated interrupt-disable occurred too late, after the driver containing the handler callback routines had been told that it was unbound and no more callbacks would occur. Commit 4a5d797a9f9c ("usb: gadget: dummy_hcd: fix gpf in gadget_setup") tried to fix this by moving the synchronize_irq() emulation code from dummy_stop() to dummy_pullup(), which runs before the unbind callback. There still were races, though, because the emulated interrupt-disable still occurred too late. It couldn't be moved to dummy_pullup(), because that routine can be called for reasons other than an impending unbind. Therefore commits 7dc0c55e9f30 ("USB: UDC core: Add udc_async_callbacks gadget op") and 04145a03db9d ("USB: UDC: Implement udc_async_callbacks in dummy-hcd") added an API allowing the UDC core to tell dummy-hcd exactly when emulated interrupts and their callbacks should be disabled. That brings us to the current state of things, which is still wrong because the emulated synchronize_irq() occurs before the emulated interrupt-disable! That's no good, beause it means that more emulated interrupts can occur after the synchronize_irq() emulation has run, leading to the possibility that a callback handler may be running when the gadget driver is unbound. To fix this, we have to move the synchronize_irq() emulation code yet again, to the dummy_udc_async_callbacks() routine, which takes care of enabling and disabling emulated interrupt requests. The synchronization will now run immediately after emulated interrupts are disabled, which is where it belongs.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 04145a03db9d78469e0817ab3a767c76c0fb0947 , < d847f375b1bcea713143bc02720d13d2d01b012a (git)
Affected: 04145a03db9d78469e0817ab3a767c76c0fb0947 , < cbf7df5e5d27cd5bea92ee9a75a4b28dbcc718d4 (git)
Affected: 04145a03db9d78469e0817ab3a767c76c0fb0947 , < 5aa776c8615bea3b1eaeec87b0788375800ead4f (git)
Affected: 04145a03db9d78469e0817ab3a767c76c0fb0947 , < 94d4fab1dd9e64f45449bcc7d6a5acf796b13015 (git)
Affected: 04145a03db9d78469e0817ab3a767c76c0fb0947 , < 5687a09776069bd915560021c9728ca528440128 (git)
Affected: 04145a03db9d78469e0817ab3a767c76c0fb0947 , < 8bcd80219d8e10e660bf29b20e41bb8beb4e4cb7 (git)
Affected: 04145a03db9d78469e0817ab3a767c76c0fb0947 , < 2ca9e46f8f1f5a297eb0ac83f79d35d5b3a02541 (git)
Create a notification for this product.
    Linux Linux Affected: 5.14
Unaffected: 0 , < 5.14 (semver)
Unaffected: 5.15.203 , ≤ 5.15.* (semver)
Unaffected: 6.1.168 , ≤ 6.1.* (semver)
Unaffected: 6.6.134 , ≤ 6.6.* (semver)
Unaffected: 6.12.81 , ≤ 6.12.* (semver)
Unaffected: 6.18.22 , ≤ 6.18.* (semver)
Unaffected: 6.19.12 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/gadget/udc/dummy_hcd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d847f375b1bcea713143bc02720d13d2d01b012a",
              "status": "affected",
              "version": "04145a03db9d78469e0817ab3a767c76c0fb0947",
              "versionType": "git"
            },
            {
              "lessThan": "cbf7df5e5d27cd5bea92ee9a75a4b28dbcc718d4",
              "status": "affected",
              "version": "04145a03db9d78469e0817ab3a767c76c0fb0947",
              "versionType": "git"
            },
            {
              "lessThan": "5aa776c8615bea3b1eaeec87b0788375800ead4f",
              "status": "affected",
              "version": "04145a03db9d78469e0817ab3a767c76c0fb0947",
              "versionType": "git"
            },
            {
              "lessThan": "94d4fab1dd9e64f45449bcc7d6a5acf796b13015",
              "status": "affected",
              "version": "04145a03db9d78469e0817ab3a767c76c0fb0947",
              "versionType": "git"
            },
            {
              "lessThan": "5687a09776069bd915560021c9728ca528440128",
              "status": "affected",
              "version": "04145a03db9d78469e0817ab3a767c76c0fb0947",
              "versionType": "git"
            },
            {
              "lessThan": "8bcd80219d8e10e660bf29b20e41bb8beb4e4cb7",
              "status": "affected",
              "version": "04145a03db9d78469e0817ab3a767c76c0fb0947",
              "versionType": "git"
            },
            {
              "lessThan": "2ca9e46f8f1f5a297eb0ac83f79d35d5b3a02541",
              "status": "affected",
              "version": "04145a03db9d78469e0817ab3a767c76c0fb0947",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/gadget/udc/dummy_hcd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.14"
            },
            {
              "lessThan": "5.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.203",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.168",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.134",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.81",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.22",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.203",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.168",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.134",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.81",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.22",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.12",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: dummy-hcd: Fix interrupt synchronization error\n\nThis fixes an error in synchronization in the dummy-hcd driver.  The\nerror has a somewhat involved history.  The synchronization mechanism\nwas introduced by commit 7dbd8f4cabd9 (\"USB: dummy-hcd: Fix erroneous\nsynchronization change\"), which added an emulated \"interrupts enabled\"\nflag together with code emulating synchronize_irq() (it waits until\nall current handler callbacks have returned).\n\nBut the emulated interrupt-disable occurred too late, after the driver\ncontaining the handler callback routines had been told that it was\nunbound and no more callbacks would occur.  Commit 4a5d797a9f9c (\"usb:\ngadget: dummy_hcd: fix gpf in gadget_setup\") tried to fix this by\nmoving the synchronize_irq() emulation code from dummy_stop() to\ndummy_pullup(), which runs before the unbind callback.\n\nThere still were races, though, because the emulated interrupt-disable\nstill occurred too late.  It couldn\u0027t be moved to dummy_pullup(),\nbecause that routine can be called for reasons other than an impending\nunbind.  Therefore commits 7dc0c55e9f30 (\"USB: UDC core: Add\nudc_async_callbacks gadget op\") and 04145a03db9d (\"USB: UDC: Implement\nudc_async_callbacks in dummy-hcd\") added an API allowing the UDC core\nto tell dummy-hcd exactly when emulated interrupts and their callbacks\nshould be disabled.\n\nThat brings us to the current state of things, which is still wrong\nbecause the emulated synchronize_irq() occurs before the emulated\ninterrupt-disable!  That\u0027s no good, beause it means that more emulated\ninterrupts can occur after the synchronize_irq() emulation has run,\nleading to the possibility that a callback handler may be running when\nthe gadget driver is unbound.\n\nTo fix this, we have to move the synchronize_irq() emulation code yet\nagain, to the dummy_udc_async_callbacks() routine, which takes care of\nenabling and disabling emulated interrupt requests.  The\nsynchronization will now run immediately after emulated interrupts are\ndisabled, which is where it belongs."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-08T13:31:08.850Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d847f375b1bcea713143bc02720d13d2d01b012a"
        },
        {
          "url": "https://git.kernel.org/stable/c/cbf7df5e5d27cd5bea92ee9a75a4b28dbcc718d4"
        },
        {
          "url": "https://git.kernel.org/stable/c/5aa776c8615bea3b1eaeec87b0788375800ead4f"
        },
        {
          "url": "https://git.kernel.org/stable/c/94d4fab1dd9e64f45449bcc7d6a5acf796b13015"
        },
        {
          "url": "https://git.kernel.org/stable/c/5687a09776069bd915560021c9728ca528440128"
        },
        {
          "url": "https://git.kernel.org/stable/c/8bcd80219d8e10e660bf29b20e41bb8beb4e4cb7"
        },
        {
          "url": "https://git.kernel.org/stable/c/2ca9e46f8f1f5a297eb0ac83f79d35d5b3a02541"
        }
      ],
      "title": "USB: dummy-hcd: Fix interrupt synchronization error",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-43324",
    "datePublished": "2026-05-08T13:31:08.850Z",
    "dateReserved": "2026-05-01T14:12:56.002Z",
    "dateUpdated": "2026-05-08T13:31:08.850Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-43324",
      "date": "2026-05-09",
      "epss": "0.00024",
      "percentile": "0.07036"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-43324\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-08T14:16:41.060\",\"lastModified\":\"2026-05-08T14:16:41.060\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nUSB: dummy-hcd: Fix interrupt synchronization error\\n\\nThis fixes an error in synchronization in the dummy-hcd driver.  The\\nerror has a somewhat involved history.  The synchronization mechanism\\nwas introduced by commit 7dbd8f4cabd9 (\\\"USB: dummy-hcd: Fix erroneous\\nsynchronization change\\\"), which added an emulated \\\"interrupts enabled\\\"\\nflag together with code emulating synchronize_irq() (it waits until\\nall current handler callbacks have returned).\\n\\nBut the emulated interrupt-disable occurred too late, after the driver\\ncontaining the handler callback routines had been told that it was\\nunbound and no more callbacks would occur.  Commit 4a5d797a9f9c (\\\"usb:\\ngadget: dummy_hcd: fix gpf in gadget_setup\\\") tried to fix this by\\nmoving the synchronize_irq() emulation code from dummy_stop() to\\ndummy_pullup(), which runs before the unbind callback.\\n\\nThere still were races, though, because the emulated interrupt-disable\\nstill occurred too late.  It couldn\u0027t be moved to dummy_pullup(),\\nbecause that routine can be called for reasons other than an impending\\nunbind.  Therefore commits 7dc0c55e9f30 (\\\"USB: UDC core: Add\\nudc_async_callbacks gadget op\\\") and 04145a03db9d (\\\"USB: UDC: Implement\\nudc_async_callbacks in dummy-hcd\\\") added an API allowing the UDC core\\nto tell dummy-hcd exactly when emulated interrupts and their callbacks\\nshould be disabled.\\n\\nThat brings us to the current state of things, which is still wrong\\nbecause the emulated synchronize_irq() occurs before the emulated\\ninterrupt-disable!  That\u0027s no good, beause it means that more emulated\\ninterrupts can occur after the synchronize_irq() emulation has run,\\nleading to the possibility that a callback handler may be running when\\nthe gadget driver is unbound.\\n\\nTo fix this, we have to move the synchronize_irq() emulation code yet\\nagain, to the dummy_udc_async_callbacks() routine, which takes care of\\nenabling and disabling emulated interrupt requests.  The\\nsynchronization will now run immediately after emulated interrupts are\\ndisabled, which is where it belongs.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/2ca9e46f8f1f5a297eb0ac83f79d35d5b3a02541\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5687a09776069bd915560021c9728ca528440128\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5aa776c8615bea3b1eaeec87b0788375800ead4f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/8bcd80219d8e10e660bf29b20e41bb8beb4e4cb7\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/94d4fab1dd9e64f45449bcc7d6a5acf796b13015\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/cbf7df5e5d27cd5bea92ee9a75a4b28dbcc718d4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d847f375b1bcea713143bc02720d13d2d01b012a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.