CVE-2026-43432 - Vulnerability Details

- usb: xhci: Fix memory leak in xhci_disable_slot()

Description

In the Linux kernel, the following vulnerability has been resolved:

usb: xhci: Fix memory leak in xhci_disable_slot()

xhci_alloc_command() allocates a command structure and, when the
second argument is true, also allocates a completion structure.
Currently, the error handling path in xhci_disable_slot() only frees
the command structure using kfree(), causing the completion structure
to leak.

Use xhci_free_command() instead of kfree(). xhci_free_command() correctly
frees both the command structure and the associated completion structure.
Since the command structure is allocated with zero-initialization,
command->in_ctx is NULL and will not be erroneously freed by
xhci_free_command().

This bug was found using an experimental static analysis tool we are
developing. The tool is based on the LLVM framework and is specifically
designed to detect memory management issues. It is currently under
active development and not yet publicly available, but we plan to
open-source it after our research is published.

The bug was originally detected on v6.13-rc1 using our static analysis
tool, and we have verified that the issue persists in the latest mainline
kernel.

We performed build testing on x86_64 with allyesconfig using GCC=11.4.0.
Since triggering these error paths in xhci_disable_slot() requires specific
hardware conditions or abnormal state, we were unable to construct a test
case to reliably trigger these specific error paths at runtime.

Published: 2026-05-08

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a memory leak in the Linux kernel’s USB XHCI driver. During the cleanup path of xhci_disable_slot() only the command structure is freed, leaving the completion structure allocated. This persistent leak can cause gradual memory exhaustion and ultimately a denial of service. The weakness is categorized as an excessive resource allocation flaw (CWE‑763).

Affected Systems

The bug appears in the core Linux kernel, affecting any distribution that runs an unpatched kernel with XHCI driver support. It first surfaced in the 6.13‑rc1 release and continues to exist in the latest mainline kernel versions until the applied patch. All systems that employ USB XHCI controllers are potentially impacted.

Risk and Exploitability

The CVSS score of 5.5 indicates medium severity. The EPSS score is below 1 % and the vulnerability is not listed in CISA KEV, pointing to a low probability of widespread exploitation. Based on the description, it is inferred that exploiting the flaw requires triggering a specific error path in xhci_disable_slot(), which likely demands particular hardware conditions or a corrupted USB device state. Consequently the practical risk for ordinary users is low, but systems heavily exposed to USB device changes or custom hardware could still experience memory exhaustion and service disruption.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`fee8be5bde562d4f5f9a100ca80c6d7072ed34c8`	affected	< 1e800e26d54ccf2ddf2ea6d6cbe021c804d8aa62
`02d5a2a48bb44e7404b794df87e57588b2fd604e`	affected	< 6288baf0c8c4dcfbf206773aede9c1f2269cec28
`7faac1953ed1f658f719cdf7bb7303fa5eef822c`	affected	< 46aea90763832cd6e9b0c2e1c00e6a9512156d4b
`7faac1953ed1f658f719cdf7bb7303fa5eef822c`	affected	< 2e2baa8fb5aa4d080cbfeb84c51eff797529f413
`7faac1953ed1f658f719cdf7bb7303fa5eef822c`	affected	< 807e4fb5140c73eb5dba1e399a990db5c1f3cdf8
`7faac1953ed1f658f719cdf7bb7303fa5eef822c`	affected	< c65f1b840ab8ce72ba68f1b63bab7960f8fdfa89
`7faac1953ed1f658f719cdf7bb7303fa5eef822c`	affected	< 078b446efc0f5e496c31bccb72b98af979963a83
`7faac1953ed1f658f719cdf7bb7303fa5eef822c`	affected	< c1c8550e70401159184130a1afc6261db01fc0ce
`cc7c2818c71ebace207df40cc586c8c74e3d1a59`	affected	—
`ec0cddcc2454ab08193beb473978f8f8889b7e24`	affected	—

Linux

affected

Version	Status	Constraints
`5.16`	affected	—
`0`	unaffected	< 5.16
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.167`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.78`	unaffected	≤ 6.12.*
`6.18.19`	unaffected	≤ 6.18.*
`6.19.9`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[fee8be5bde562d4f5f9a100ca80c6d7072ed34c8,1e800e26d54ccf2ddf2ea6d6cbe021c804d8aa62)`	affected	code_commit	—
`[02d5a2a48bb44e7404b794df87e57588b2fd604e,6288baf0c8c4dcfbf206773aede9c1f2269cec28)`	affected	code_commit	—
`[7faac1953ed1f658f719cdf7bb7303fa5eef822c,46aea90763832cd6e9b0c2e1c00e6a9512156d4b)`	affected	code_commit	—
`[7faac1953ed1f658f719cdf7bb7303fa5eef822c,2e2baa8fb5aa4d080cbfeb84c51eff797529f413)`	affected	code_commit	—
`[7faac1953ed1f658f719cdf7bb7303fa5eef822c,807e4fb5140c73eb5e399a990db5c1f3cdf8)`	affected	code_commit	—
`[7faac1953ed1f658f719cdf7bb7303fa5eef822c,c65f1b840ab8ce72ba68f1b63bab7960f8fdfa89)`	affected	code_commit	—
`[7faac1953ed1f658f719cdf7bb7303fa5eef822c,078b446efc0f5e496c31bccb72b98af979963a83)`	affected	code_commit	—
`[7faac1953ed1f658f719cdf7bb7303fa5eef822c,c1c8550e70401159184130a1afc6261db01fc0ce)`	affected	code_commit	—
`cc7c2818c71ebace207df40cc586c8c74e3d1a59`	affected	code_commit	—
`ec0cddcc2454ab08193beb473978f8f8889b7e24`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.16`	affected	semver	—
`[0,5.16)`	unaffected	semver	—
`[5.10.253,5.11.0)`	unaffected	semver	—
`[5.15.203,5.16.0)`	unaffected	semver	—
`[6.1.167,6.2.0)`	unaffected	semver	—
`[6.6.130,6.7.0)`	unaffected	semver	—
`[6.12.78,6.13.0)`	unaffected	semver	—
`[6.18.19,6.19.0)`	unaffected	semver	—
`[6.19.9,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a patched Linux kernel that includes the XHCI memory leak fix (the commit that replaces kfree() with xhci_free_command()).
If a kernel upgrade cannot be performed immediately, disable the XHCI controller in the BIOS/UEFI or remove USB devices that trigger the error path to reduce the likelihood of the leak occurring.
Monitor system memory usage and review vendor security advisories for updates that address the issue, applying any supplemental patches or mitigations they recommend.

Generated by OpenCVE AI on May 9, 2026 at 16:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0003.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/078b446efc0f5e496c31bccb72b98af979963a83
https://git.kernel.org/stable/c/1e800e26d54ccf2ddf2ea6d6cbe021c804d8aa62
https://git.kernel.org/stable/c/2e2baa8fb5aa4d080cbfeb84c51eff797529f413
https://git.kernel.org/stable/c/46aea90763832cd6e9b0c2e1c00e6a9512156d4b
https://git.kernel.org/stable/c/6288baf0c8c4dcfbf206773aede9c1f2269cec28
https://git.kernel.org/stable/c/807e4fb5140c73eb5dba1e399a990db5c1f3cdf8
https://git.kernel.org/stable/c/c1c8550e70401159184130a1afc6261db01fc0ce
https://git.kernel.org/stable/c/c65f1b840ab8ce72ba68f1b63bab7960f8fdfa89
https://lore.kernel.org/linux-cve-announce/2026050851-CVE-2026-43432-18dd@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43432
https://www.cve.org/CVERecord?id=CVE-2026-43432

History

Sat, 09 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-401

Sat, 09 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-763
References		https://lore.kernel.org/linux-cve-announce/2026050851-CVE-2026-43432-18dd@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43432 https://www.cve.org/CVERecord?id=CVE-2026-43432
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Low`

Fri, 08 May 2026 18:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-401

Fri, 08 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Fix memory leak in xhci_disable_slot() xhci_alloc_command() allocates a command structure and, when the second argument is true, also allocates a completion structure. Currently, the error handling path in xhci_disable_slot() only frees the command structure using kfree(), causing the completion structure to leak. Use xhci_free_command() instead of kfree(). xhci_free_command() correctly frees both the command structure and the associated completion structure. Since the command structure is allocated with zero-initialization, command->in_ctx is NULL and will not be erroneously freed by xhci_free_command(). This bug was found using an experimental static analysis tool we are developing. The tool is based on the LLVM framework and is specifically designed to detect memory management issues. It is currently under active development and not yet publicly available, but we plan to open-source it after our research is published. The bug was originally detected on v6.13-rc1 using our static analysis tool, and we have verified that the issue persists in the latest mainline kernel. We performed build testing on x86_64 with allyesconfig using GCC=11.4.0. Since triggering these error paths in xhci_disable_slot() requires specific hardware conditions or abnormal state, we were unable to construct a test case to reliably trigger these specific error paths at runtime.
Title		usb: xhci: Fix memory leak in xhci_disable_slot()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/078b446efc0f5e496c31bccb72b98af979963a83 https://git.kernel.org/stable/c/1e800e26d54ccf2ddf2ea6d6cbe021c804d8aa62 https://git.kernel.org/stable/c/2e2baa8fb5aa4d080cbfeb84c51eff797529f413 https://git.kernel.org/stable/c/46aea90763832cd6e9b0c2e1c00e6a9512156d4b https://git.kernel.org/stable/c/6288baf0c8c4dcfbf206773aede9c1f2269cec28 https://git.kernel.org/stable/c/807e4fb5140c73eb5dba1e399a990db5c1f3cdf8 https://git.kernel.org/stable/c/c1c8550e70401159184130a1afc6261db01fc0ce https://git.kernel.org/stable/c/c65f1b840ab8ce72ba68f1b63bab7960f8fdfa89

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-08T14:22:03.985Z

Updated: 2026-05-08T14:22:03.985Z

Reserved: 2026-05-01T14:12:56.009Z

Link: CVE-2026-43432

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-08T15:16:55.470

Modified: 2026-05-08T15:16:55.470

Link: CVE-2026-43432

Redhat

Severity : Low

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43432 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-09T16:30:37Z

Weaknesses

CWE-763

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object