CVE-2026-43250 - Vulnerability Details

- usb: chipidea: udc: fix DMA and SG cleanup in _ep_nuke()

Description

In the Linux kernel, the following vulnerability has been resolved:

usb: chipidea: udc: fix DMA and SG cleanup in _ep_nuke()

The ChipIdea UDC driver can encounter "not page aligned sg buffer"
errors when a USB device is reconnected after being disconnected
during an active transfer. This occurs because _ep_nuke() returns
requests to the gadget layer without properly unmapping DMA buffers
or cleaning up scatter-gather bounce buffers.

Root cause:
When a disconnect happens during a multi-segment DMA transfer, the
request's num_mapped_sgs field and sgt.sgl pointer remain set with
stale values. The request is returned to the gadget driver with status
-ESHUTDOWN but still has active DMA state. If the gadget driver reuses
this request on reconnect without reinitializing it, the stale DMA
state causes _hardware_enqueue() to skip DMA mapping (seeing non-zero
num_mapped_sgs) and attempt to use freed/invalid DMA addresses,
leading to alignment errors and potential memory corruption.

The normal completion path via _hardware_dequeue() properly calls
usb_gadget_unmap_request_by_dev() and sglist_do_debounce() before
returning the request. The _ep_nuke() path must do the same cleanup
to ensure requests are returned in a clean, reusable state.

Fix:
Add DMA unmapping and bounce buffer cleanup to _ep_nuke() to mirror
the cleanup sequence in _hardware_dequeue():
- Call usb_gadget_unmap_request_by_dev() if num_mapped_sgs is set
- Call sglist_do_debounce() with copy=false if bounce buffer exists

This ensures that when requests are returned due to endpoint shutdown,
they don't retain stale DMA mappings. The 'false' parameter to
sglist_do_debounce() prevents copying data back (appropriate for
shutdown path where transfer was aborted).

Published: 2026-05-06

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The ChipIdea UDC driver in the Linux kernel fails to unmap DMA buffers and clean scatter‑gather bounce buffers when an endpoint is shut down. When a device disconnects during a multi‑segment DMA transfer, the request still retains stale DMA state. If that same request object is reused on reconnect, the hardware enqueue path skips DMA mapping and attempts to use freed or invalid DMA addresses, leading to alignment errors and kernel memory corruption. Although the flaw does not immediately grant arbitrary code execution, it can crash the system or corrupt critical kernel memory.

Affected Systems

All Linux kernel installations that include the ChipIdea UDC driver are potentially affected until the fix is applied. The vendor information is listed as Linux, and no specific kernel release numbers are provided; therefore, any kernel version prior to the inclusion of the patch in the cited Git commits remains vulnerable.

Risk and Exploitability

The CVSS score is not supplied and the EPSS score is unavailable, so a precise numerical severity cannot be given. The vulnerability is not listed in CISA KEV. The likely attack vector is an attacker who can control USB connectivity to the host or inject a malicious USB device, because the fault is triggered by a disconnect/reconnect sequence during an active transfer. The impact is primarily denial of service or memory corruption, and no publicly known exploits have been reported as of the data provided.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 1b72b834511d17f4d069d512f78671f3f210a2f1
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< f4fbf2d4750d12ac8525d2efac1016fa0d84d4ec
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< e74c436f8568af1c60942469d0a2300b3ada3857
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< cea2a1257a3b5ea3e769a445b34af13e6aa5a123

Linux

affected

Version	Status	Constraints
`6.12.75`	unaffected	≤ 6.12.*
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,1b72b834511d17f4d069d512f78671f3f210a2f1)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,f4fbf2d4750d12ac8525d2efac1016fa0d84d4ec)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,e74c436f8568af1c60942469d0a2300b3ada3857)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,cea2a1257a3b5ea3e769a445b34af13e6aa5a123)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[6.12.75,6.13.0)`	unaffected	semver	—
`[6.18.16,6.19.0)`	unaffected	semver	—
`[6.19.6,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the kernel patch that adds DMA unmapping and SG cleanup to _ep_nuke(), as referenced in the provided Git commits.
If a kernel upgrade is not immediately possible, temporarily unload the "chipidea" UDC module while the USB gadget is not in use to prevent requests with stale DMA state from being reused.
If the above is infeasible, disable USB gadget functionality or modify the system configuration to avoid reconnecting devices that trigger the driver until the patch is applied.

Generated by OpenCVE AI on May 7, 2026 at 05:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/1b72b834511d17f4d069d512f78671f3f210a2f1
https://git.kernel.org/stable/c/cea2a1257a3b5ea3e769a445b34af13e6aa5a123
https://git.kernel.org/stable/c/e74c436f8568af1c60942469d0a2300b3ada3857
https://git.kernel.org/stable/c/f4fbf2d4750d12ac8525d2efac1016fa0d84d4ec
https://lore.kernel.org/linux-cve-announce/2026050603-CVE-2026-43250-e395@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43250
https://www.cve.org/CVERecord?id=CVE-2026-43250

History

Thu, 07 May 2026 04:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-416

Thu, 07 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-459
References		https://lore.kernel.org/linux-cve-announce/2026050603-CVE-2026-43250-e395@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43250 https://www.cve.org/CVERecord?id=CVE-2026-43250

Wed, 06 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: usb: chipidea: udc: fix DMA and SG cleanup in _ep_nuke() The ChipIdea UDC driver can encounter "not page aligned sg buffer" errors when a USB device is reconnected after being disconnected during an active transfer. This occurs because _ep_nuke() returns requests to the gadget layer without properly unmapping DMA buffers or cleaning up scatter-gather bounce buffers. Root cause: When a disconnect happens during a multi-segment DMA transfer, the request's num_mapped_sgs field and sgt.sgl pointer remain set with stale values. The request is returned to the gadget driver with status -ESHUTDOWN but still has active DMA state. If the gadget driver reuses this request on reconnect without reinitializing it, the stale DMA state causes _hardware_enqueue() to skip DMA mapping (seeing non-zero num_mapped_sgs) and attempt to use freed/invalid DMA addresses, leading to alignment errors and potential memory corruption. The normal completion path via _hardware_dequeue() properly calls usb_gadget_unmap_request_by_dev() and sglist_do_debounce() before returning the request. The _ep_nuke() path must do the same cleanup to ensure requests are returned in a clean, reusable state. Fix: Add DMA unmapping and bounce buffer cleanup to _ep_nuke() to mirror the cleanup sequence in _hardware_dequeue(): - Call usb_gadget_unmap_request_by_dev() if num_mapped_sgs is set - Call sglist_do_debounce() with copy=false if bounce buffer exists This ensures that when requests are returned due to endpoint shutdown, they don't retain stale DMA mappings. The 'false' parameter to sglist_do_debounce() prevents copying data back (appropriate for shutdown path where transfer was aborted).
Title		usb: chipidea: udc: fix DMA and SG cleanup in _ep_nuke()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1b72b834511d17f4d069d512f78671f3f210a2f1 https://git.kernel.org/stable/c/cea2a1257a3b5ea3e769a445b34af13e6aa5a123 https://git.kernel.org/stable/c/e74c436f8568af1c60942469d0a2300b3ada3857 https://git.kernel.org/stable/c/f4fbf2d4750d12ac8525d2efac1016fa0d84d4ec

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:28:41.158Z

Updated: 2026-05-06T11:28:41.158Z

Reserved: 2026-05-01T14:12:55.996Z

Link: CVE-2026-43250

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:45.620

Modified: 2026-05-06T13:07:51.607

Link: CVE-2026-43250

Redhat

Severity :

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43250 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-07T06:00:16Z

Weaknesses

CWE-459

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object