CVE-2026-43250
Awaiting Analysis Awaiting Analysis - Queue
USB DMA and SG Cleanup Flaw in Linux Kernel ChipIdea UDC

Publication date: 2026-05-06

Last updated on: 2026-05-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: usb: chipidea: udc: fix DMA and SG cleanup in _ep_nuke() The ChipIdea UDC driver can encounter "not page aligned sg buffer" errors when a USB device is reconnected after being disconnected during an active transfer. This occurs because _ep_nuke() returns requests to the gadget layer without properly unmapping DMA buffers or cleaning up scatter-gather bounce buffers. Root cause: When a disconnect happens during a multi-segment DMA transfer, the request's num_mapped_sgs field and sgt.sgl pointer remain set with stale values. The request is returned to the gadget driver with status -ESHUTDOWN but still has active DMA state. If the gadget driver reuses this request on reconnect without reinitializing it, the stale DMA state causes _hardware_enqueue() to skip DMA mapping (seeing non-zero num_mapped_sgs) and attempt to use freed/invalid DMA addresses, leading to alignment errors and potential memory corruption. The normal completion path via _hardware_dequeue() properly calls usb_gadget_unmap_request_by_dev() and sglist_do_debounce() before returning the request. The _ep_nuke() path must do the same cleanup to ensure requests are returned in a clean, reusable state. Fix: Add DMA unmapping and bounce buffer cleanup to _ep_nuke() to mirror the cleanup sequence in _hardware_dequeue(): - Call usb_gadget_unmap_request_by_dev() if num_mapped_sgs is set - Call sglist_do_debounce() with copy=false if bounce buffer exists This ensures that when requests are returned due to endpoint shutdown, they don't retain stale DMA mappings. The 'false' parameter to sglist_do_debounce() prevents copying data back (appropriate for shutdown path where transfer was aborted).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-06
Generated
2026-05-06
AI Q&A
2026-05-06
EPSS Evaluated
N/A
NVD
CVE-2026-43250
EUVD
EUVD-2026-27813
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
chipidea udc *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's ChipIdea UDC USB driver. It occurs when a USB device is disconnected during an active multi-segment DMA transfer and then reconnected. The driver fails to properly clean up DMA and scatter-gather (SG) buffers in the _ep_nuke() function, leaving stale DMA state in the request.

Specifically, the num_mapped_sgs field and sgt.sgl pointer remain set with old values, causing the gadget driver to reuse requests with invalid DMA mappings. This leads to alignment errors and potential memory corruption because the hardware enqueue function skips DMA mapping due to the stale state.

The fix involves adding proper DMA unmapping and bounce buffer cleanup in the _ep_nuke() function to ensure requests are returned in a clean, reusable state after an endpoint shutdown.


How can this vulnerability impact me? :

This vulnerability can cause memory corruption and alignment errors in the USB device driver when a USB device is disconnected and reconnected during active data transfers.

Such memory corruption could potentially lead to system instability, crashes, or unexpected behavior in the USB subsystem, which might affect device functionality or overall system reliability.


What immediate steps should I take to mitigate this vulnerability?

This vulnerability is caused by improper cleanup of DMA and scatter-gather buffers in the ChipIdea UDC driver when a USB device is disconnected during an active transfer.

To mitigate this vulnerability, you should update your Linux kernel to a version that includes the fix for this issue. The fix involves adding proper DMA unmapping and bounce buffer cleanup in the _ep_nuke() function to ensure requests do not retain stale DMA mappings.

  • Apply the patch that calls usb_gadget_unmap_request_by_dev() if num_mapped_sgs is set.
  • Apply the patch that calls sglist_do_debounce() with copy=false if a bounce buffer exists.

These steps ensure that when endpoints are shut down, requests are returned in a clean, reusable state, preventing alignment errors and potential memory corruption.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart