Description
In the Linux kernel, the following vulnerability has been resolved:

usb: renesas_usbhs: fix use-after-free in ISR during device removal

In usbhs_remove(), the driver frees resources (including the pipe array)
while the interrupt handler (usbhs_interrupt) is still registered. If an
interrupt fires after usbhs_pipe_remove() but before the driver is fully
unbound, the ISR may access freed memory, causing a use-after-free.

Fix this by calling devm_free_irq() before freeing resources. This ensures
the interrupt handler is both disabled and synchronized (waits for any
running ISR to complete) before usbhs_pipe_remove() is called.
Published: 2026-05-08
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Renesas USBHS driver in the Linux kernel contains a use‑after‑free flaw (CWE‑364 and CWE‑416) that is triggered while a USB device is being removed. During removal the driver frees its internal resources, including the pipe array, but the interrupt handler remains registered. When an interrupt fires after the resources have been deallocated but before the driver is fully unbound, the ISR may read or write memory that has already been freed, corrupting kernel memory and potentially causing a kernel panic. This type of weakness is a classic resource‑management error that allows an attacker to influence the state of the system in a harmful way.

Affected Systems

All Linux kernel builds that include the Renesas USBHS driver are affected until the patch that calls devm_free_irq() before freeing resources is applied. The flaw is confined to kernel space and affects only systems running a kernel with this driver, regardless of the specific Linux distribution.

Risk and Exploitability

The vulnerability is not listed in the CISA KEV catalog, has an EPSS score of < 1%, and a CVSS score of 7.8, indicating moderate‑to‑high severity but low exploitation probability under normal circumstances. Based on the description, the attack vector is inferred to be local; an attacker with access to a USB port can trigger a device removal while the driver is active. The use‑after‑free can corrupt kernel memory, posing a significant risk to availability and integrity of the host.

Generated by OpenCVE AI on May 20, 2026 at 19:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the patch that calls devm_free_irq() before freeing USBHS resources.
  • If an upgrade is not possible, disable the Renesas USBHS driver or prevent it from handling USB devices until the system can guarantee no removal occurs while the interrupt is still registered.
  • Rebuild or reconfigure the kernel to exclude the USBHS driver entirely if USB functionality is not required.

Generated by OpenCVE AI on May 20, 2026 at 19:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4606-1 linux security update
History

Wed, 20 May 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Sat, 09 May 2026 03:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-364
References

Fri, 08 May 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: usb: renesas_usbhs: fix use-after-free in ISR during device removal In usbhs_remove(), the driver frees resources (including the pipe array) while the interrupt handler (usbhs_interrupt) is still registered. If an interrupt fires after usbhs_pipe_remove() but before the driver is fully unbound, the ISR may access freed memory, causing a use-after-free. Fix this by calling devm_free_irq() before freeing resources. This ensures the interrupt handler is both disabled and synchronized (waits for any running ISR to complete) before usbhs_pipe_remove() is called.
Title usb: renesas_usbhs: fix use-after-free in ISR during device removal
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:24:21.643Z

Reserved: 2026-05-01T14:12:56.009Z

Link: CVE-2026-43426

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T15:16:54.740

Modified: 2026-05-20T18:32:36.417

Link: CVE-2026-43426

cve-icon Redhat

Severity :

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43426 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T19:30:37Z

Weaknesses