CVE-2026-43327
Received Received - Intake
Race Condition in Linux Kernel USB Gadget Core

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: USB: dummy-hcd: Fix locking/synchronization error Syzbot testing was able to provoke an addressing exception and crash in the usb_gadget_udc_reset() routine in drivers/usb/gadgets/udc/core.c, resulting from the fact that the routine was called with a second ("driver") argument of NULL. The bad caller was set_link_state() in dummy_hcd.c, and the problem arose because of a race between a USB reset and driver unbind. These sorts of races were not supposed to be possible; commit 7dbd8f4cabd9 ("USB: dummy-hcd: Fix erroneous synchronization change"), along with a few followup commits, was written specifically to prevent them. As it turns out, there are (at least) two errors remaining in the code. Another patch will address the second error; this one is concerned with the first. The error responsible for the syzbot crash occurred because the stop_activity() routine will sometimes drop and then re-acquire the dum->lock spinlock. A call to stop_activity() occurs in set_link_state() when handling an emulated USB reset, after the test of dum->ints_enabled and before the increment of dum->callback_usage. This allowed another thread (doing a driver unbind) to sneak in and grab the spinlock, and then clear dum->ints_enabled and dum->driver. Normally this other thread would have to wait for dum->callback_usage to go down to 0 before it would clear dum->driver, but in this case it didn't have to wait since dum->callback_usage had not yet been incremented. The fix is to increment dum->callback_usage _before_ calling stop_activity() instead of after. Then the thread doing the unbind will not clear dum->driver until after the call to usb_gadget_udc_reset() safely returns and dum->callback_usage has been decremented again.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-05-29
AI Q&A
2026-05-08
EPSS Evaluated
2026-05-28
NVD
CVE-2026-43327
EUVD
EUVD-2026-28611
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel to crash due to an addressing exception triggered by the race condition in the USB dummy host controller driver.

A kernel crash can lead to system instability, denial of service, and potential loss of data or interruption of services relying on USB gadget functionality.


Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's USB dummy host controller driver (dummy-hcd). It is caused by a race condition in the usb_gadget_udc_reset() function, where the function is called with a NULL driver argument due to improper synchronization.

The root cause is that the stop_activity() routine sometimes releases and then re-acquires a spinlock (dum->lock), allowing another thread performing a driver unbind to intervene and clear important flags and pointers prematurely. This happens because the callback usage counter (dum->callback_usage) is incremented too late, allowing the unbind thread to proceed without waiting.

The fix involves incrementing dum->callback_usage before calling stop_activity(), ensuring that the unbind thread cannot clear the driver pointer until after usb_gadget_udc_reset() completes safely.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is a synchronization error in the Linux kernel's USB dummy host controller driver (dummy-hcd) that can cause a crash due to a race condition during USB reset and driver unbind.

To mitigate this vulnerability, you should update your Linux kernel to a version that includes the fix which increments the callback usage counter before calling stop_activity(), preventing the race condition.

Since this is a kernel-level issue, applying the official kernel patch or upgrading to a patched kernel release is the immediate and recommended step.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart