CVE-2026-43343
Received Received - Intake
USB Gadget Subset Reference Count Leak Fix

Publication date: 2026-05-08

Last updated on: 2026-05-18

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_subset: Fix unbalanced refcnt in geth_free geth_alloc() increments the reference count, but geth_free() fails to decrement it. This prevents the configuration of attributes via configfs after unlinking the function. Decrement the reference count in geth_free() to ensure proper cleanup.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-18
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-43343
EUVD
EUVD-2026-28627
Affected Vendors & Products
Showing 13 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.22 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.168 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.12 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.81 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.134 (exc)
linux linux_kernel From 3.11 (inc) to 5.10.253 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, update the Linux kernel to a version where the issue in usb: gadget: f_subset has been fixed. Specifically, ensure that the kernel includes the patch that decrements the reference count in geth_free() to prevent improper cleanup.

Applying the latest kernel updates from your Linux distribution vendor is the recommended immediate step.

Executive Summary

This vulnerability exists in the Linux kernel's USB gadget subsystem, specifically in the f_subset function. The issue is that the function geth_alloc() increases a reference count, but the corresponding geth_free() function does not decrease it. This imbalance in reference counting prevents proper cleanup and stops the configuration of attributes via configfs after the function is unlinked.

The fix involves decrementing the reference count in geth_free() to ensure that resources are properly released.

Impact Analysis

Because the reference count is not properly decremented, the system may fail to clean up resources correctly after unlinking the USB gadget function. This can lead to issues with configuring attributes via configfs, potentially causing malfunction or instability in USB gadget operations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43343. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart