CVE-2026-43432 (GCVE-0-2026-43432)
Vulnerability from cvelistv5
Published
2026-05-08 14:22
Modified
2026-05-23 16:06
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: xhci: Fix memory leak in xhci_disable_slot()
xhci_alloc_command() allocates a command structure and, when the
second argument is true, also allocates a completion structure.
Currently, the error handling path in xhci_disable_slot() only frees
the command structure using kfree(), causing the completion structure
to leak.
Use xhci_free_command() instead of kfree(). xhci_free_command() correctly
frees both the command structure and the associated completion structure.
Since the command structure is allocated with zero-initialization,
command->in_ctx is NULL and will not be erroneously freed by
xhci_free_command().
This bug was found using an experimental static analysis tool we are
developing. The tool is based on the LLVM framework and is specifically
designed to detect memory management issues. It is currently under
active development and not yet publicly available, but we plan to
open-source it after our research is published.
The bug was originally detected on v6.13-rc1 using our static analysis
tool, and we have verified that the issue persists in the latest mainline
kernel.
We performed build testing on x86_64 with allyesconfig using GCC=11.4.0.
Since triggering these error paths in xhci_disable_slot() requires specific
hardware conditions or abnormal state, we were unable to construct a test
case to reliably trigger these specific error paths at runtime.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: fee8be5bde562d4f5f9a100ca80c6d7072ed34c8 Version: 02d5a2a48bb44e7404b794df87e57588b2fd604e Version: 7faac1953ed1f658f719cdf7bb7303fa5eef822c Version: 7faac1953ed1f658f719cdf7bb7303fa5eef822c Version: 7faac1953ed1f658f719cdf7bb7303fa5eef822c Version: 7faac1953ed1f658f719cdf7bb7303fa5eef822c Version: 7faac1953ed1f658f719cdf7bb7303fa5eef822c Version: 7faac1953ed1f658f719cdf7bb7303fa5eef822c Version: cc7c2818c71ebace207df40cc586c8c74e3d1a59 Version: ec0cddcc2454ab08193beb473978f8f8889b7e24 Version: 5.10.85 ≤ Version: 5.15.8 ≤ Version: 4.19.221 ≤ Version: 5.4.165 ≤ |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/xhci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "1e800e26d54ccf2ddf2ea6d6cbe021c804d8aa62",
"status": "affected",
"version": "fee8be5bde562d4f5f9a100ca80c6d7072ed34c8",
"versionType": "git"
},
{
"lessThan": "6288baf0c8c4dcfbf206773aede9c1f2269cec28",
"status": "affected",
"version": "02d5a2a48bb44e7404b794df87e57588b2fd604e",
"versionType": "git"
},
{
"lessThan": "46aea90763832cd6e9b0c2e1c00e6a9512156d4b",
"status": "affected",
"version": "7faac1953ed1f658f719cdf7bb7303fa5eef822c",
"versionType": "git"
},
{
"lessThan": "2e2baa8fb5aa4d080cbfeb84c51eff797529f413",
"status": "affected",
"version": "7faac1953ed1f658f719cdf7bb7303fa5eef822c",
"versionType": "git"
},
{
"lessThan": "807e4fb5140c73eb5dba1e399a990db5c1f3cdf8",
"status": "affected",
"version": "7faac1953ed1f658f719cdf7bb7303fa5eef822c",
"versionType": "git"
},
{
"lessThan": "c65f1b840ab8ce72ba68f1b63bab7960f8fdfa89",
"status": "affected",
"version": "7faac1953ed1f658f719cdf7bb7303fa5eef822c",
"versionType": "git"
},
{
"lessThan": "078b446efc0f5e496c31bccb72b98af979963a83",
"status": "affected",
"version": "7faac1953ed1f658f719cdf7bb7303fa5eef822c",
"versionType": "git"
},
{
"lessThan": "c1c8550e70401159184130a1afc6261db01fc0ce",
"status": "affected",
"version": "7faac1953ed1f658f719cdf7bb7303fa5eef822c",
"versionType": "git"
},
{
"status": "affected",
"version": "cc7c2818c71ebace207df40cc586c8c74e3d1a59",
"versionType": "git"
},
{
"status": "affected",
"version": "ec0cddcc2454ab08193beb473978f8f8889b7e24",
"versionType": "git"
},
{
"lessThan": "5.10.253",
"status": "affected",
"version": "5.10.85",
"versionType": "semver"
},
{
"lessThan": "5.15.203",
"status": "affected",
"version": "5.15.8",
"versionType": "semver"
},
{
"lessThan": "4.20",
"status": "affected",
"version": "4.19.221",
"versionType": "semver"
},
{
"lessThan": "5.5",
"status": "affected",
"version": "5.4.165",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/host/xhci.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.16"
},
{
"lessThan": "5.16",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.167",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.130",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.19",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "5.10.85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "5.15.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.167",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.130",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.78",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.19",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.9",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.221",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.165",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci: Fix memory leak in xhci_disable_slot()\n\nxhci_alloc_command() allocates a command structure and, when the\nsecond argument is true, also allocates a completion structure.\nCurrently, the error handling path in xhci_disable_slot() only frees\nthe command structure using kfree(), causing the completion structure\nto leak.\n\nUse xhci_free_command() instead of kfree(). xhci_free_command() correctly\nfrees both the command structure and the associated completion structure.\nSince the command structure is allocated with zero-initialization,\ncommand-\u003ein_ctx is NULL and will not be erroneously freed by\nxhci_free_command().\n\nThis bug was found using an experimental static analysis tool we are\ndeveloping. The tool is based on the LLVM framework and is specifically\ndesigned to detect memory management issues. It is currently under\nactive development and not yet publicly available, but we plan to\nopen-source it after our research is published.\n\nThe bug was originally detected on v6.13-rc1 using our static analysis\ntool, and we have verified that the issue persists in the latest mainline\nkernel.\n\nWe performed build testing on x86_64 with allyesconfig using GCC=11.4.0.\nSince triggering these error paths in xhci_disable_slot() requires specific\nhardware conditions or abnormal state, we were unable to construct a test\ncase to reliably trigger these specific error paths at runtime."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T16:06:59.368Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/1e800e26d54ccf2ddf2ea6d6cbe021c804d8aa62"
},
{
"url": "https://git.kernel.org/stable/c/6288baf0c8c4dcfbf206773aede9c1f2269cec28"
},
{
"url": "https://git.kernel.org/stable/c/46aea90763832cd6e9b0c2e1c00e6a9512156d4b"
},
{
"url": "https://git.kernel.org/stable/c/2e2baa8fb5aa4d080cbfeb84c51eff797529f413"
},
{
"url": "https://git.kernel.org/stable/c/807e4fb5140c73eb5dba1e399a990db5c1f3cdf8"
},
{
"url": "https://git.kernel.org/stable/c/c65f1b840ab8ce72ba68f1b63bab7960f8fdfa89"
},
{
"url": "https://git.kernel.org/stable/c/078b446efc0f5e496c31bccb72b98af979963a83"
},
{
"url": "https://git.kernel.org/stable/c/c1c8550e70401159184130a1afc6261db01fc0ce"
}
],
"title": "usb: xhci: Fix memory leak in xhci_disable_slot()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43432",
"datePublished": "2026-05-08T14:22:03.985Z",
"dateReserved": "2026-05-01T14:12:56.009Z",
"dateUpdated": "2026-05-23T16:06:59.368Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…