CVE-2026-43431 - Vulnerability Details

- xhci: Fix NULL pointer dereference when reading portli debugfs files

Description

In the Linux kernel, the following vulnerability has been resolved:

xhci: Fix NULL pointer dereference when reading portli debugfs files

Michal reported and debgged a NULL pointer dereference bug in the
recently added portli debugfs files

Oops is caused when there are more port registers counted in
xhci->max_ports than ports reported by Supported Protocol capabilities.
This is possible if max_ports is more than maximum port number, or
if there are gaps between ports of different speeds the 'Supported
Protocol' capabilities.

In such cases port->rhub will be NULL so we can't reach xhci behind it.
Add an explicit NULL check for this case, and print portli in hex
without dereferencing port->rhub.

Published: 2026-05-08

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a NULL pointer dereference in the Linux kernel’s xhci driver that occurs when reading the new portli debugfs files. The bug is triggered if the driver’s recorded maximum port count exceeds the number of ports described by the Supported Protocol capabilities, causing the pointer to a hub port structure to be NULL. Accessing this NULL pointer during a debugfs read results in a kernel crash, which can be used to take the system offline.

Affected Systems

All Linux systems using the Linux kernel are affected, since the vendor information lists Linux:Linux as the impacted product. The specific kernel version or release is not indicated in the provided data. Systems that enable the xhci driver and expose the portli debugfs entries are at risk.

Risk and Exploitability

Because the flaw results in a kernel panic, the impact is a denial of service that can be triggered locally by accessing the portli debugfs file. The attack vector is inferred to be local, likely requiring privileged access to read debugfs files or a compromised process that can trigger the read. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited recorded exploitation at this time. The CVSS score is 5.5, indicating a medium severity risk, as a kernel crash would disrupt all services on the affected host.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`384c57ec720597f8104f69082cdd261abb998b80`	affected	< 9c8bef223c6e991276188d30d74bdb2cbd8be652
`384c57ec720597f8104f69082cdd261abb998b80`	affected	< ae4ff9dead5efa2025eddfcdb29411432bf40a7c

Linux

affected

Version	Status	Constraints
`6.19`	affected	—
`0`	unaffected	< 6.19
`6.19.9`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[384c57ec720597f8104f69082cdd261abb998b80,9c8bef223c6e991276188d30d74bdb2cbd8be652)`	affected	code_commit	—
`[384c57ec720597f8104f69082cdd261abb998b80,ae4ff9dead5efa2025eddfcdb29411432bf40a7c)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.19`	affected	semver	—
`[0,6.19)`	unaffected	semver	—
`[6.19.9,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the commit adding the NULL pointer check for xhci portli debugfs reads.
Reboot the system after applying the patch to ensure the updated kernel is running.
Restrict access to the debugfs filesystem (or to the XHCI debugfs entries) so that only trusted or privileged users can read them, reducing the local attack surface until the patch is fully applied.

Generated by OpenCVE AI on May 9, 2026 at 13:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/9c8bef223c6e991276188d30d74bdb2cbd8be652
https://git.kernel.org/stable/c/ae4ff9dead5efa2025eddfcdb29411432bf40a7c
https://lore.kernel.org/linux-cve-announce/2026050850-CVE-2026-43431-1c06@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43431
https://www.cve.org/CVERecord?id=CVE-2026-43431

History

Sat, 09 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026050850-CVE-2026-43431-1c06@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43431 https://www.cve.org/CVERecord?id=CVE-2026-43431
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Fri, 08 May 2026 17:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476

Fri, 08 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: xhci: Fix NULL pointer dereference when reading portli debugfs files Michal reported and debgged a NULL pointer dereference bug in the recently added portli debugfs files Oops is caused when there are more port registers counted in xhci->max_ports than ports reported by Supported Protocol capabilities. This is possible if max_ports is more than maximum port number, or if there are gaps between ports of different speeds the 'Supported Protocol' capabilities. In such cases port->rhub will be NULL so we can't reach xhci behind it. Add an explicit NULL check for this case, and print portli in hex without dereferencing port->rhub.
Title		xhci: Fix NULL pointer dereference when reading portli debugfs files
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/9c8bef223c6e991276188d30d74bdb2cbd8be652 https://git.kernel.org/stable/c/ae4ff9dead5efa2025eddfcdb29411432bf40a7c

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-08T14:22:03.298Z

Updated: 2026-05-08T14:22:03.298Z

Reserved: 2026-05-01T14:12:56.009Z

Link: CVE-2026-43431

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-08T15:16:55.367

Modified: 2026-05-08T15:16:55.367

Link: CVE-2026-43431

Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43431 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-09T14:00:06Z

Weaknesses

CWE-476

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object