CVE-2026-43426 - Vulnerability Details

- usb: renesas_usbhs: fix use-after-free in ISR during device removal

Description

In the Linux kernel, the following vulnerability has been resolved:

usb: renesas_usbhs: fix use-after-free in ISR during device removal

In usbhs_remove(), the driver frees resources (including the pipe array)
while the interrupt handler (usbhs_interrupt) is still registered. If an
interrupt fires after usbhs_pipe_remove() but before the driver is fully
unbound, the ISR may access freed memory, causing a use-after-free.

Fix this by calling devm_free_irq() before freeing resources. This ensures
the interrupt handler is both disabled and synchronized (waits for any
running ISR to complete) before usbhs_pipe_remove() is called.

Published: 2026-05-08

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`f1407d5c66240b33d11a7f1a41d55ccf6a9d7647`	affected	< c7012fc73dab4829404fedeeaa8531f12ac8545f
`f1407d5c66240b33d11a7f1a41d55ccf6a9d7647`	affected	< 51afaf919bbaacdd9cc9e146033ae0a743a42dd7
`f1407d5c66240b33d11a7f1a41d55ccf6a9d7647`	affected	< 1899edac312ef17a7234851686e8a703f56d0a84
`f1407d5c66240b33d11a7f1a41d55ccf6a9d7647`	affected	< 9c6159d5b72d5fc265cce5da04f27d730b552e69
`f1407d5c66240b33d11a7f1a41d55ccf6a9d7647`	affected	< 6287e0c01ccb818e7214f88d885ffb7c9e81b0e0
`f1407d5c66240b33d11a7f1a41d55ccf6a9d7647`	affected	< 0b7d11fd6e742ecc0b1eca44b4f0b93140c74bae
`f1407d5c66240b33d11a7f1a41d55ccf6a9d7647`	affected	< 6ffe44f022c95b1b29c691d2169c5abc046f7580
`f1407d5c66240b33d11a7f1a41d55ccf6a9d7647`	affected	< 3cbc242b88c607f55da3d0d0d336b49bf1e20412

Linux

affected

Version	Status	Constraints
`3.0`	affected	—
`0`	unaffected	< 3.0
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.167`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.78`	unaffected	≤ 6.12.*
`6.18.19`	unaffected	≤ 6.18.*
`6.19.9`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[f1407d5c66240b33d11a7f1a41d55ccf6a9d7647,c7012fc73dab4829404fedeeaa8531f12ac8545f)`	affected	code_commit	—
`[f1407d5c66240b33d11a7f1a41d55ccf6a9d7647,51afaf919bbaacdd9cc9e146033ae0a743a42dd7)`	affected	code_commit	—
`[f1407d5c66240b33d11a7f1a41d55ccf6a9d7647,1899edac312ef17a7234851686e8a703f56d0a84)`	affected	code_commit	—
`[f1407d5c66240b33d11a7f1a41d55ccf6a9d7647,9c6159d5b72d5fc265cce5da04f27d730b552e69)`	affected	code_commit	—
`[f1407d5c66240b33d11a7f1a41d55ccf6a9d7647,6287e0c01ccb818e7214f88d885ffb7c9e81b0e0)`	affected	code_commit	—
`[f1407d5c66240b33d11a7f1a41d55ccf6a9d7647,0b7d11fd6e742ecc0b1eca44b4f0b93140c74bae)`	affected	code_commit	—
`[f1407d5c66240b33d11a7f1a41d55ccf6a9d7647,6ffe44f022c95b1b29c691d2169c5abc046f7580)`	affected	code_commit	—
`[f1407d5c66240b33d11a7f1a41d55ccf6a9d7647,3cbc242b88c607f55da3d0d0d336b49bf1e20412)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`3.0`	affected	generic	—
`[0,3.0)`	unaffected	generic	—
`[5.10.253,5.11.0)`	unaffected	semver	—
`[5.15.203,5.16.0)`	unaffected	semver	—
`[6.1.167,6.2.0)`	unaffected	semver	—
`[6.6.130,6.7.0)`	unaffected	semver	—
`[6.12.78,6.13.0)`	unaffected	semver	—
`[6.18.19,6.19.0)`	unaffected	semver	—
`[6.19.9,6.20.0)`	unaffected	semver	—
`[0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00032.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0b7d11fd6e742ecc0b1eca44b4f0b93140c74bae
https://git.kernel.org/stable/c/1899edac312ef17a7234851686e8a703f56d0a84
https://git.kernel.org/stable/c/3cbc242b88c607f55da3d0d0d336b49bf1e20412
https://git.kernel.org/stable/c/51afaf919bbaacdd9cc9e146033ae0a743a42dd7
https://git.kernel.org/stable/c/6287e0c01ccb818e7214f88d885ffb7c9e81b0e0
https://git.kernel.org/stable/c/6ffe44f022c95b1b29c691d2169c5abc046f7580
https://git.kernel.org/stable/c/9c6159d5b72d5fc265cce5da04f27d730b552e69
https://git.kernel.org/stable/c/c7012fc73dab4829404fedeeaa8531f12ac8545f
https://lore.kernel.org/linux-cve-announce/2026050849-CVE-2026-43426-eef1@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43426
https://www.cve.org/CVERecord?id=CVE-2026-43426

History

Sat, 09 May 2026 03:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-416

Sat, 09 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-364
References		https://lore.kernel.org/linux-cve-announce/2026050849-CVE-2026-43426-eef1@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43426 https://www.cve.org/CVERecord?id=CVE-2026-43426

Fri, 08 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Fri, 08 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: usb: renesas_usbhs: fix use-after-free in ISR during device removal In usbhs_remove(), the driver frees resources (including the pipe array) while the interrupt handler (usbhs_interrupt) is still registered. If an interrupt fires after usbhs_pipe_remove() but before the driver is fully unbound, the ISR may access freed memory, causing a use-after-free. Fix this by calling devm_free_irq() before freeing resources. This ensures the interrupt handler is both disabled and synchronized (waits for any running ISR to complete) before usbhs_pipe_remove() is called.
Title		usb: renesas_usbhs: fix use-after-free in ISR during device removal
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0b7d11fd6e742ecc0b1eca44b4f0b93140c74bae https://git.kernel.org/stable/c/1899edac312ef17a7234851686e8a703f56d0a84 https://git.kernel.org/stable/c/3cbc242b88c607f55da3d0d0d336b49bf1e20412 https://git.kernel.org/stable/c/51afaf919bbaacdd9cc9e146033ae0a743a42dd7 https://git.kernel.org/stable/c/6287e0c01ccb818e7214f88d885ffb7c9e81b0e0 https://git.kernel.org/stable/c/6ffe44f022c95b1b29c691d2169c5abc046f7580 https://git.kernel.org/stable/c/9c6159d5b72d5fc265cce5da04f27d730b552e69 https://git.kernel.org/stable/c/c7012fc73dab4829404fedeeaa8531f12ac8545f

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-08T14:21:59.668Z

Updated: 2026-05-11T22:24:21.643Z

Reserved: 2026-05-01T14:12:56.009Z

Link: CVE-2026-43426

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-08T15:16:54.740

Modified: 2026-05-12T14:10:27.343

Link: CVE-2026-43426

Redhat

Severity :

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43426 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-09T05:00:10Z

Weaknesses

CWE-364

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object