CVSS: -EPSS: 0%CPEs: 10EXPL: 0CVE-2026-43432 – usb: xhci: Fix memory leak in xhci_disable_slot()
https://notcve.org/view.php?id=CVE-2026-43432
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Fix memory leak in xhci_disable_slot() xhci_alloc_command() allocates a command structure and, when the second argument is true, also allocates a completion structure. Currently, the error handling path in xhci_disable_slot() only frees the command structure using kfree(), causing the completion structure to leak. Use xhci_free_command() instead of kfree(). xhci_free_command() correctly frees both the command structure and the as... • https://git.kernel.org/stable/c/fee8be5bde562d4f5f9a100ca80c6d7072ed34c8 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43430 – usb: yurex: fix race in probe
https://notcve.org/view.php?id=CVE-2026-43430
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: yurex: fix race in probe The bbu member of the descriptor must be set to the value standing for uninitialized values before the URB whose completion handler sets bbu is submitted. Otherwise there is a window during which probing can overwrite already retrieved data. • https://git.kernel.org/stable/c/6bc235a2e24a5ef677daee3fd4f74f6cd643e23c •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43429 – USB: usbtmc: Use usb_bulk_msg_killable() with user-specified timeouts
https://notcve.org/view.php?id=CVE-2026-43429
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: USB: usbtmc: Use usb_bulk_msg_killable() with user-specified timeouts The usbtmc driver accepts timeout values specified by the user in an ioctl command, and uses these timeouts for some usb_bulk_msg() calls. Since the user can specify arbitrarily long timeouts and usb_bulk_msg() uses unkillable waits, call usb_bulk_msg_killable() instead to avoid the possibility of the user hanging a kernel thread indefinitely. • https://git.kernel.org/stable/c/048c6d88a0214757926f264823829e79154fcd4f •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43428 – USB: core: Limit the length of unkillable synchronous timeouts
https://notcve.org/view.php?id=CVE-2026-43428
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: USB: core: Limit the length of unkillable synchronous timeouts The usb_control_msg(), usb_bulk_msg(), and usb_interrupt_msg() APIs in usbcore allow unlimited timeout durations. And since they use uninterruptible waits, this leaves open the possibility of hanging a task for an indefinitely long time, with no way to kill it short of unplugging the target device. To prevent this sort of problem, enforce a maximum limit on the length of these u... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43427 – usb: class: cdc-wdm: fix reordering issue in read code path
https://notcve.org/view.php?id=CVE-2026-43427
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: class: cdc-wdm: fix reordering issue in read code path Quoting the bug report: Due to compiler optimization or CPU out-of-order execution, the desc->length update can be reordered before the memmove. If this happens, wdm_read() can see the new length and call copy_to_user() on uninitialized memory. This also violates LKMM data race rules [1]. Fix it by using WRITE_ONCE and memory barriers. • https://git.kernel.org/stable/c/afba937e540c902c989cd516fd97ea0c8499bb27 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43426 – usb: renesas_usbhs: fix use-after-free in ISR during device removal
https://notcve.org/view.php?id=CVE-2026-43426
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: renesas_usbhs: fix use-after-free in ISR during device removal In usbhs_remove(), the driver frees resources (including the pipe array) while the interrupt handler (usbhs_interrupt) is still registered. If an interrupt fires after usbhs_pipe_remove() but before the driver is fully unbound, the ISR may access freed memory, causing a use-after-free. Fix this by calling devm_free_irq() before freeing resources. This ensures the interrupt ... • https://git.kernel.org/stable/c/f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43425 – usb: image: mdc800: kill download URB on timeout
https://notcve.org/view.php?id=CVE-2026-43425
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: image: mdc800: kill download URB on timeout mdc800_device_read() submits download_urb and waits for completion. If the timeout fires and the device has not responded, the function returns without killing the URB, leaving it active. A subsequent read() resubmits the same URB while it is still in-flight, triggering the WARN in usb_submit_urb(): "URB submitted while active" Check the return value of wait_event_timeout() and kill the URB i... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2026-43424 – usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling
https://notcve.org/view.php?id=CVE-2026-43424
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling The `tpg->tpg_nexus` pointer in the USB Target driver is dynamically managed and tied to userspace configuration via ConfigFS. It can be NULL if the USB host sends requests before the nexus is fully established or immediately after it is dropped. Currently, functions like `bot_submit_command()` and the data transfer paths retrieve `tv_nexus = tpg->tpg_nexus` and immediately... • https://git.kernel.org/stable/c/c52661d60f636d17e26ad834457db333bd1df494 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2026-43421 – usb: gadget: f_ncm: Fix net_device lifecycle with device_move
https://notcve.org/view.php?id=CVE-2026-43421
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: Fix net_device lifecycle with device_move The network device outlived its parent gadget device during disconnection, resulting in dangling sysfs links and null pointer dereference problems. A prior attempt to solve this by removing SET_NETDEV_DEV entirely [1] was reverted due to power management ordering concerns and a NO-CARRIER regression. A subsequent attempt to defer net_device allocation to bind [2] broke 1:1 mappin... • https://git.kernel.org/stable/c/40d133d7f542616cf9538508a372306e626a16e9 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-43420 – ceph: fix i_nlink underrun during async unlink
https://notcve.org/view.php?id=CVE-2026-43420
08 May 2026 — In the Linux kernel, the following vulnerability has been resolved: ceph: fix i_nlink underrun during async unlink During async unlink, we drop the `i_nlink` counter before we receive the completion (that will eventually update the `i_nlink`) because "we assume that the unlink will succeed". That is not a bad idea, but it races against deletions by other clients (or against the completion of our own unlink) and can lead to an underrun which emits a WARNING like this one: WARNING: CPU: 85 PID: 25093 at fs/in... • https://git.kernel.org/stable/c/2ccb45462aeaf0831397b90d31d3d50a7704fa1f •