CVE-2026-43327 - Vulnerability Details

- USB: dummy-hcd: Fix locking/synchronization error

Description

In the Linux kernel, the following vulnerability has been resolved:

USB: dummy-hcd: Fix locking/synchronization error

Syzbot testing was able to provoke an addressing exception and crash
in the usb_gadget_udc_reset() routine in
drivers/usb/gadgets/udc/core.c, resulting from the fact that the
routine was called with a second ("driver") argument of NULL. The bad
caller was set_link_state() in dummy_hcd.c, and the problem arose
because of a race between a USB reset and driver unbind.

These sorts of races were not supposed to be possible; commit
7dbd8f4cabd9 ("USB: dummy-hcd: Fix erroneous synchronization change"),
along with a few followup commits, was written specifically to prevent
them. As it turns out, there are (at least) two errors remaining in
the code. Another patch will address the second error; this one is
concerned with the first.

The error responsible for the syzbot crash occurred because the
stop_activity() routine will sometimes drop and then re-acquire the
dum->lock spinlock. A call to stop_activity() occurs in
set_link_state() when handling an emulated USB reset, after the test
of dum->ints_enabled and before the increment of dum->callback_usage.
This allowed another thread (doing a driver unbind) to sneak in and
grab the spinlock, and then clear dum->ints_enabled and dum->driver.
Normally this other thread would have to wait for dum->callback_usage
to go down to 0 before it would clear dum->driver, but in this case it
didn't have to wait since dum->callback_usage had not yet been
incremented.

The fix is to increment dum->callback_usage _before_ calling
stop_activity() instead of after. Then the thread doing the unbind
will not clear dum->driver until after the call to
usb_gadget_udc_reset() safely returns and dum->callback_usage has been
decremented again.

Published: 2026-05-08

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel's dummy-hcd driver contains a race condition between a USB reset and driver unbind that can cause a null pointer dereference in the usb_gadget_udc_reset routine, resulting in a kernel panic. This flaw manifests as an addressing exception that leads to a loss of availability for the affected system. The underlying weakness is a synchronization error that allows concurrent threads to manipulate shared state inconsistently, as evidenced by Syzbot testing. The crash renders the host device unresponsive until reboot, giving attackers a significant denial‑of‑service vector.

Affected Systems

All Linux kernel builds that include the dummy-hcd gadget driver and are affected by the race condition, with no explicit version bounds in the report. The vulnerability was addressed in recent commits to the kernel source seen in the referenced Git history. Systems running unpatched kernels should be considered affected.

Risk and Exploitability

The CVSS score is not provided, but the impact of a kernel panic assigns a high severity. EPSS is not available and the vulnerability is not listed in CISA KEV, so there is no known exploitation data, yet the ease of reproducing the race with a crafted USB reset suggests a moderate to high exploitation probability for a local attacker with sufficient privileges to trigger the reset or unbind. The attack vector appears to be local or possibly remote if USB interfaces can be manipulated over a networked host controller. Administrators should treat this as a high‑risk issue until a kernel update is applied.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`7dbd8f4cabd96db5a50513de9d83a8105a5ffc81`	affected	< 6350c7dd33ab481ef41c931a238361490c32d15c
`7dbd8f4cabd96db5a50513de9d83a8105a5ffc81`	affected	< cc97fb5969177cccce2e23b31298df220fc7570d
`7dbd8f4cabd96db5a50513de9d83a8105a5ffc81`	affected	< 218886b2ef2dea7627d3700ab0abaf4bf9d1161f
`7dbd8f4cabd96db5a50513de9d83a8105a5ffc81`	affected	< 791966f85b439b261bf19865cf1c07c065ffb4b4
`7dbd8f4cabd96db5a50513de9d83a8105a5ffc81`	affected	< 805b1833d6ed6da5086e610578a28e71bb54fbbb
`7dbd8f4cabd96db5a50513de9d83a8105a5ffc81`	affected	< efbd9441f1e769a7aae1813d497cec09cbdff031
`7dbd8f4cabd96db5a50513de9d83a8105a5ffc81`	affected	< 69ab97a693251d6a6093e630060a3c744fd58524
`7dbd8f4cabd96db5a50513de9d83a8105a5ffc81`	affected	< 616a63ff495df12863692ab3f9f7b84e3fa7a66d
`7b416b9dac6ede26d4ca0c1a88b448b543623ff3`	affected	—
`8590bc1da625dd4a589eac0fc3aa3cf4f400424d`	affected	—
`a867d5b932ac4911d3f8a1e63505061b0c81f889`	affected	—
`e84b4a008365b7edbd842a063ae28d040a98db25`	affected	—
`e39b17143a5b5aac81f066d455e5d3a9877eb3ae`	affected	—
`4f8ae1fcb0dfbb72a7678f81bf01fb7fc85c6715`	affected	—

Linux

affected

Version	Status	Constraints
`4.14`	affected	—
`0`	unaffected	< 4.14
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.168`	unaffected	≤ 6.1.*
`6.6.134`	unaffected	≤ 6.6.*
`6.12.81`	unaffected	≤ 6.12.*
`6.18.22`	unaffected	≤ 6.18.*
`6.19.12`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[7dbd8f4cabd96db5a50513de9d83a8105a5ffc81,6350c7dd33ab481ef41c931a238361490c32d15c)`	affected	code_commit	—
`[7dbd8f4cabd96db5a50513de9d83a8105a5ffc81,cc97fb5969177cccce2e23b31298df220fc7570d)`	affected	code_commit	—
`[7dbd8f4cabd96db5a50513de9d83a8105a5ffc81,218886b2ef2dea7627d3700ab0abaf4bf9d1161f)`	affected	code_commit	—
`[7dbd8f4cabd96db5a50513de9d83a8105a5ffc81,791966f85b439b261bf19865cf1c07c065ffb4b4)`	affected	code_commit	—
`[7dbd8f4cabd96db5a50513de9d83a8105a5ffc81,805b1833d6ed6da5086e610578a28e71bb54fbbb)`	affected	code_commit	—
`[7dbd8f4cabd96db5a50513de9d83a8105a5ffc81,efbd9441f1e769a7aae1813d497cec09cbdff031)`	affected	code_commit	—
`[7dbd8f4cabd96db5a50513de9d83a8105a5ffc81,69ab97a693251d6a6093e630060a3c744fd58524)`	affected	code_commit	—
`[7dbd8f4cabd96db5a50513de9d83a8105a5ffc81,616a63ff495df12863692ab3f9f7b84e3fa7a66d)`	affected	code_commit	—
`7b416b9dac6ede26d4ca0c1a88b448b543623ff3`	affected	code_commit	—
`8590bc1da625dd4a589eac0fc3aa3cf4f400424d`	affected	code_commit	—
`a867d5b932ac4911d3f8a1e63505061b0c81f889`	affected	code_commit	—
`e84b4a008365b7edbd842a063ae28d040a98db25`	affected	code_commit	—
`e39b17143a5b5aac81f066d455e5d3a9877eb3ae`	affected	code_commit	—
`4f8ae1fcb0dfbb72a7678f81bf01fb7fc85c6715`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`4.14`	affected	generic	—
`[0,4.14)`	unaffected	generic	—
`[5.10.253,5.10.*]`	unaffected	generic	—
`[5.15.203,5.15.*]`	unaffected	generic	—
`[6.1.168,6.1.*]`	unaffected	generic	—
`[6.6.134,6.6.*]`	unaffected	generic	—
`[6.12.81,6.12.*]`	unaffected	generic	—
`[6.18.22,6.18.*]`	unaffected	generic	—
`[6.19.12,6.19.*]`	unaffected	generic	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the kernel to a version that incorporates the 7dbd8f4cabd9 patch and subsequent commits that resolve the dummy‑hcd race condition
If a timely kernel update is unavailable, disable the dummy‑hcd gadget driver by setting CONFIG_USB_DUMMY_HCD to n or removing the module from the system
Restrict USB gadget usage or apply stricter udev rules to limit which users can trigger USB resets or unbind drivers
Monitor kernel logs for sudden crashes or BUG messages that could indicate an attempted exploitation
Consider rebooting affected systems promptly after applying any of the above mitigations to ensure stability

Generated by OpenCVE AI on May 8, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00024.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/218886b2ef2dea7627d3700ab0abaf4bf9d1161f
https://git.kernel.org/stable/c/616a63ff495df12863692ab3f9f7b84e3fa7a66d
https://git.kernel.org/stable/c/6350c7dd33ab481ef41c931a238361490c32d15c
https://git.kernel.org/stable/c/69ab97a693251d6a6093e630060a3c744fd58524
https://git.kernel.org/stable/c/791966f85b439b261bf19865cf1c07c065ffb4b4
https://git.kernel.org/stable/c/805b1833d6ed6da5086e610578a28e71bb54fbbb
https://git.kernel.org/stable/c/cc97fb5969177cccce2e23b31298df220fc7570d
https://git.kernel.org/stable/c/efbd9441f1e769a7aae1813d497cec09cbdff031

History

Fri, 08 May 2026 19:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-362 CWE-476

Fri, 08 May 2026 14:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: USB: dummy-hcd: Fix locking/synchronization error Syzbot testing was able to provoke an addressing exception and crash in the usb_gadget_udc_reset() routine in drivers/usb/gadgets/udc/core.c, resulting from the fact that the routine was called with a second ("driver") argument of NULL. The bad caller was set_link_state() in dummy_hcd.c, and the problem arose because of a race between a USB reset and driver unbind. These sorts of races were not supposed to be possible; commit 7dbd8f4cabd9 ("USB: dummy-hcd: Fix erroneous synchronization change"), along with a few followup commits, was written specifically to prevent them. As it turns out, there are (at least) two errors remaining in the code. Another patch will address the second error; this one is concerned with the first. The error responsible for the syzbot crash occurred because the stop_activity() routine will sometimes drop and then re-acquire the dum->lock spinlock. A call to stop_activity() occurs in set_link_state() when handling an emulated USB reset, after the test of dum->ints_enabled and before the increment of dum->callback_usage. This allowed another thread (doing a driver unbind) to sneak in and grab the spinlock, and then clear dum->ints_enabled and dum->driver. Normally this other thread would have to wait for dum->callback_usage to go down to 0 before it would clear dum->driver, but in this case it didn't have to wait since dum->callback_usage had not yet been incremented. The fix is to increment dum->callback_usage _before_ calling stop_activity() instead of after. Then the thread doing the unbind will not clear dum->driver until after the call to usb_gadget_udc_reset() safely returns and dum->callback_usage has been decremented again.
Title		USB: dummy-hcd: Fix locking/synchronization error
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/218886b2ef2dea7627d3700ab0abaf4bf9d1161f https://git.kernel.org/stable/c/616a63ff495df12863692ab3f9f7b84e3fa7a66d https://git.kernel.org/stable/c/6350c7dd33ab481ef41c931a238361490c32d15c https://git.kernel.org/stable/c/69ab97a693251d6a6093e630060a3c744fd58524 https://git.kernel.org/stable/c/791966f85b439b261bf19865cf1c07c065ffb4b4 https://git.kernel.org/stable/c/805b1833d6ed6da5086e610578a28e71bb54fbbb https://git.kernel.org/stable/c/cc97fb5969177cccce2e23b31298df220fc7570d https://git.kernel.org/stable/c/efbd9441f1e769a7aae1813d497cec09cbdff031

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-08T13:31:12.896Z

Updated: 2026-05-08T13:31:12.896Z

Reserved: 2026-05-01T14:12:56.002Z

Link: CVE-2026-43327

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-08T14:16:42.243

Modified: 2026-05-08T14:16:42.243

Link: CVE-2026-43327

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-08T21:30:05Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object