CVE-2026-43426 - Vulnerability Details

- usb: renesas_usbhs: fix use-after-free in ISR during device removal

Description

In the Linux kernel, the following vulnerability has been resolved:

usb: renesas_usbhs: fix use-after-free in ISR during device removal

In usbhs_remove(), the driver frees resources (including the pipe array)
while the interrupt handler (usbhs_interrupt) is still registered. If an
interrupt fires after usbhs_pipe_remove() but before the driver is fully
unbound, the ISR may access freed memory, causing a use-after-free.

Fix this by calling devm_free_irq() before freeing resources. This ensures
the interrupt handler is both disabled and synchronized (waits for any
running ISR to complete) before usbhs_pipe_remove() is called.

Published: 2026-05-08

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Renesas USBHS driver in the Linux kernel contains a use‑after‑free flaw (CWE‑364) that is triggered while a USB device is being removed. During removal the driver frees its internal resources, including the pipe array, but the interrupt handler remains registered. When an interrupt fires after the resources have been deallocated but before the driver is fully unbound, the ISR may read or write memory that has already been freed, corrupting kernel memory and potentially causing a kernel panic. This type of weakness is a classic resource‑management error that allows an attacker to influence the state of the system in a harmful way.

Affected Systems

All Linux kernel builds that include the Renesas USBHS driver are affected until the patch that calls devm_free_irq() before freeing resources is applied. The flaw is confined to kernel space and affects only systems running a kernel with this driver, regardless of the specific Linux distribution.

Risk and Exploitability

The vulnerability is not listed in the CISA KEV catalog, and no EPSS score is available, so the likelihood of exploitation is uncertain. Based on the description, the attack vector is inferred to be local; an attacker with access to a USB port can trigger a device removal while the driver is active. The use‑after‑free can corrupt kernel memory, posing a significant risk to availability and integrity of the host, but without an assigned CVSS score the nominal severity remains unclear.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`f1407d5c66240b33d11a7f1a41d55ccf6a9d7647`	affected	< c7012fc73dab4829404fedeeaa8531f12ac8545f
`f1407d5c66240b33d11a7f1a41d55ccf6a9d7647`	affected	< 51afaf919bbaacdd9cc9e146033ae0a743a42dd7
`f1407d5c66240b33d11a7f1a41d55ccf6a9d7647`	affected	< 1899edac312ef17a7234851686e8a703f56d0a84
`f1407d5c66240b33d11a7f1a41d55ccf6a9d7647`	affected	< 9c6159d5b72d5fc265cce5da04f27d730b552e69
`f1407d5c66240b33d11a7f1a41d55ccf6a9d7647`	affected	< 6287e0c01ccb818e7214f88d885ffb7c9e81b0e0
`f1407d5c66240b33d11a7f1a41d55ccf6a9d7647`	affected	< 0b7d11fd6e742ecc0b1eca44b4f0b93140c74bae
`f1407d5c66240b33d11a7f1a41d55ccf6a9d7647`	affected	< 6ffe44f022c95b1b29c691d2169c5abc046f7580
`f1407d5c66240b33d11a7f1a41d55ccf6a9d7647`	affected	< 3cbc242b88c607f55da3d0d0d336b49bf1e20412

Linux

affected

Version	Status	Constraints
`3.0`	affected	—
`0`	unaffected	< 3.0
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.167`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.78`	unaffected	≤ 6.12.*
`6.18.19`	unaffected	≤ 6.18.*
`6.19.9`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[f1407d5c66240b33d11a7f1a41d55ccf6a9d7647,c7012fc73dab4829404fedeeaa8531f12ac8545f)`	affected	code_commit	—
`[f1407d5c66240b33d11a7f1a41d55ccf6a9d7647,51afaf919bbaacdd9cc9e146033ae0a743a42dd7)`	affected	code_commit	—
`[f1407d5c66240b33d11a7f1a41d55ccf6a9d7647,1899edac312ef17a7234851686e8a703f56d0a84)`	affected	code_commit	—
`[f1407d5c66240b33d11a7f1a41d55ccf6a9d7647,9c6159d5b72d5fc265cce5da04f27d730b552e69)`	affected	code_commit	—
`[f1407d5c66240b33d11a7f1a41d55ccf6a9d7647,6287e0c01ccb818e7214f88d885ffb7c9e81b0e0)`	affected	code_commit	—
`[f1407d5c66240b33d11a7f1a41d55ccf6a9d7647,0b7d11fd6e742ecc0b1eca44b4f0b93140c74bae)`	affected	code_commit	—
`[f1407d5c66240b33d11a7f1a41d55ccf6a9d7647,6ffe44f022c95b1b29c691d2169c5abc046f7580)`	affected	code_commit	—
`[f1407d5c66240b33d11a7f1a41d55ccf6a9d7647,3cbc242b88c607f55da3d0d0d336b49bf1e20412)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`3.0`	affected	generic	—
`[0,3.0)`	unaffected	generic	—
`[5.10.253,5.11.0)`	unaffected	semver	—
`[5.15.203,5.16.0)`	unaffected	semver	—
`[6.1.167,6.2.0)`	unaffected	semver	—
`[6.6.130,6.7.0)`	unaffected	semver	—
`[6.12.78,6.13.0)`	unaffected	semver	—
`[6.18.19,6.19.0)`	unaffected	semver	—
`[6.19.9,6.20.0)`	unaffected	semver	—
`[0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the patch that calls devm_free_irq() before freeing USBHS resources.
If an upgrade is not possible, disable the Renesas USBHS driver or prevent it from handling USB devices until the system can guarantee no removal occurs while the interrupt is still registered.
Rebuild or reconfigure the kernel to exclude the USBHS driver entirely if USB functionality is not required.

Generated by OpenCVE AI on May 9, 2026 at 04:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00024.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0b7d11fd6e742ecc0b1eca44b4f0b93140c74bae
https://git.kernel.org/stable/c/1899edac312ef17a7234851686e8a703f56d0a84
https://git.kernel.org/stable/c/3cbc242b88c607f55da3d0d0d336b49bf1e20412
https://git.kernel.org/stable/c/51afaf919bbaacdd9cc9e146033ae0a743a42dd7
https://git.kernel.org/stable/c/6287e0c01ccb818e7214f88d885ffb7c9e81b0e0
https://git.kernel.org/stable/c/6ffe44f022c95b1b29c691d2169c5abc046f7580
https://git.kernel.org/stable/c/9c6159d5b72d5fc265cce5da04f27d730b552e69
https://git.kernel.org/stable/c/c7012fc73dab4829404fedeeaa8531f12ac8545f
https://lore.kernel.org/linux-cve-announce/2026050849-CVE-2026-43426-eef1@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43426
https://www.cve.org/CVERecord?id=CVE-2026-43426

History

Sat, 09 May 2026 03:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-416

Sat, 09 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-364
References		https://lore.kernel.org/linux-cve-announce/2026050849-CVE-2026-43426-eef1@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43426 https://www.cve.org/CVERecord?id=CVE-2026-43426

Fri, 08 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Fri, 08 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: usb: renesas_usbhs: fix use-after-free in ISR during device removal In usbhs_remove(), the driver frees resources (including the pipe array) while the interrupt handler (usbhs_interrupt) is still registered. If an interrupt fires after usbhs_pipe_remove() but before the driver is fully unbound, the ISR may access freed memory, causing a use-after-free. Fix this by calling devm_free_irq() before freeing resources. This ensures the interrupt handler is both disabled and synchronized (waits for any running ISR to complete) before usbhs_pipe_remove() is called.
Title		usb: renesas_usbhs: fix use-after-free in ISR during device removal
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0b7d11fd6e742ecc0b1eca44b4f0b93140c74bae https://git.kernel.org/stable/c/1899edac312ef17a7234851686e8a703f56d0a84 https://git.kernel.org/stable/c/3cbc242b88c607f55da3d0d0d336b49bf1e20412 https://git.kernel.org/stable/c/51afaf919bbaacdd9cc9e146033ae0a743a42dd7 https://git.kernel.org/stable/c/6287e0c01ccb818e7214f88d885ffb7c9e81b0e0 https://git.kernel.org/stable/c/6ffe44f022c95b1b29c691d2169c5abc046f7580 https://git.kernel.org/stable/c/9c6159d5b72d5fc265cce5da04f27d730b552e69 https://git.kernel.org/stable/c/c7012fc73dab4829404fedeeaa8531f12ac8545f

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-08T14:21:59.668Z

Updated: 2026-05-08T14:21:59.668Z

Reserved: 2026-05-01T14:12:56.009Z

Link: CVE-2026-43426

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-08T15:16:54.740

Modified: 2026-05-08T15:16:54.740

Link: CVE-2026-43426

Redhat

Severity :

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43426 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-09T05:00:10Z

Weaknesses

CWE-364

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object