Description
In the Linux kernel, the following vulnerability has been resolved:

usb: chipidea: udc: fix DMA and SG cleanup in _ep_nuke()

The ChipIdea UDC driver can encounter "not page aligned sg buffer"
errors when a USB device is reconnected after being disconnected
during an active transfer. This occurs because _ep_nuke() returns
requests to the gadget layer without properly unmapping DMA buffers
or cleaning up scatter-gather bounce buffers.

Root cause:
When a disconnect happens during a multi-segment DMA transfer, the
request's num_mapped_sgs field and sgt.sgl pointer remain set with
stale values. The request is returned to the gadget driver with status
-ESHUTDOWN but still has active DMA state. If the gadget driver reuses
this request on reconnect without reinitializing it, the stale DMA
state causes _hardware_enqueue() to skip DMA mapping (seeing non-zero
num_mapped_sgs) and attempt to use freed/invalid DMA addresses,
leading to alignment errors and potential memory corruption.

The normal completion path via _hardware_dequeue() properly calls
usb_gadget_unmap_request_by_dev() and sglist_do_debounce() before
returning the request. The _ep_nuke() path must do the same cleanup
to ensure requests are returned in a clean, reusable state.

Fix:
Add DMA unmapping and bounce buffer cleanup to _ep_nuke() to mirror
the cleanup sequence in _hardware_dequeue():
- Call usb_gadget_unmap_request_by_dev() if num_mapped_sgs is set
- Call sglist_do_debounce() with copy=false if bounce buffer exists

This ensures that when requests are returned due to endpoint shutdown,
they don't retain stale DMA mappings. The 'false' parameter to
sglist_do_debounce() prevents copying data back (appropriate for
shutdown path where transfer was aborted).
Published: 2026-05-06
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The ChipIdea UDC driver in the Linux kernel fails to unmap DMA buffers and clean scatter‑gather bounce buffers when an endpoint is shut down. When a device disconnects during a multi‑segment DMA transfer, the request still retains stale DMA state. If that same request object is reused on reconnect, the hardware enqueue path skips DMA mapping and attempts to use freed or invalid DMA addresses, leading to alignment errors and kernel memory corruption. Although the flaw does not immediately grant arbitrary code execution, it can crash the system or corrupt critical kernel memory.

Affected Systems

All Linux kernel installations that include the ChipIdea UDC driver are potentially affected until the fix is applied. The vendor information is listed as Linux, and no specific kernel release numbers are provided; therefore, any kernel version prior to the inclusion of the patch in the cited Git commits remains vulnerable.

Risk and Exploitability

The CVSS score of 7.8 indicates moderate to high severity, while the EPSS score of < 1% suggests a low probability of exploitation. The vulnerability is not included in CISA’s KEV catalog. The likely attack vector involves an attacker controlling USB connectivity, such as a malicious USB device or orchestrating a disconnect/reconnect cycle during active transfers. The impact is primarily denial of service or memory corruption, consistent with the identified CWEs of improper memory management and improper handle disposal. No publicly known exploits have been reported as of the data provided.

Generated by OpenCVE AI on May 12, 2026 at 21:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that adds DMA unmapping and SG cleanup to _ep_nuke(), as referenced in the provided Git commits.
  • If a kernel upgrade is not immediately possible, temporarily unload the "chipidea" UDC module while the USB gadget is not in use to prevent requests with stale DMA state from being reused.
  • If the above is infeasible, disable USB gadget functionality or modify the system configuration to avoid reconnecting devices that trigger the driver until the patch is applied.

Generated by OpenCVE AI on May 12, 2026 at 21:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 07 May 2026 04:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Thu, 07 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-459
References

Wed, 06 May 2026 14:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: usb: chipidea: udc: fix DMA and SG cleanup in _ep_nuke() The ChipIdea UDC driver can encounter "not page aligned sg buffer" errors when a USB device is reconnected after being disconnected during an active transfer. This occurs because _ep_nuke() returns requests to the gadget layer without properly unmapping DMA buffers or cleaning up scatter-gather bounce buffers. Root cause: When a disconnect happens during a multi-segment DMA transfer, the request's num_mapped_sgs field and sgt.sgl pointer remain set with stale values. The request is returned to the gadget driver with status -ESHUTDOWN but still has active DMA state. If the gadget driver reuses this request on reconnect without reinitializing it, the stale DMA state causes _hardware_enqueue() to skip DMA mapping (seeing non-zero num_mapped_sgs) and attempt to use freed/invalid DMA addresses, leading to alignment errors and potential memory corruption. The normal completion path via _hardware_dequeue() properly calls usb_gadget_unmap_request_by_dev() and sglist_do_debounce() before returning the request. The _ep_nuke() path must do the same cleanup to ensure requests are returned in a clean, reusable state. Fix: Add DMA unmapping and bounce buffer cleanup to _ep_nuke() to mirror the cleanup sequence in _hardware_dequeue(): - Call usb_gadget_unmap_request_by_dev() if num_mapped_sgs is set - Call sglist_do_debounce() with copy=false if bounce buffer exists This ensures that when requests are returned due to endpoint shutdown, they don't retain stale DMA mappings. The 'false' parameter to sglist_do_debounce() prevents copying data back (appropriate for shutdown path where transfer was aborted).
Title usb: chipidea: udc: fix DMA and SG cleanup in _ep_nuke()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:20:54.786Z

Reserved: 2026-05-01T14:12:55.996Z

Link: CVE-2026-43250

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T12:16:45.620

Modified: 2026-05-12T18:51:16.140

Link: CVE-2026-43250

cve-icon Redhat

Severity :

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43250 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T21:30:25Z

Weaknesses