CVE-2026-43250

{"id": "CVE-2026-43250", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2026-05-06T12:16:45.620", "references": [{"url": "https://git.kernel.org/stable/c/1b72b834511d17f4d069d512f78671f3f210a2f1", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cea2a1257a3b5ea3e769a445b34af13e6aa5a123", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e74c436f8568af1c60942469d0a2300b3ada3857", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f4fbf2d4750d12ac8525d2efac1016fa0d84d4ec", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: chipidea: udc: fix DMA and SG cleanup in _ep_nuke()\n\nThe ChipIdea UDC driver can encounter \"not page aligned sg buffer\"\nerrors when a USB device is reconnected after being disconnected\nduring an active transfer. This occurs because _ep_nuke() returns\nrequests to the gadget layer without properly unmapping DMA buffers\nor cleaning up scatter-gather bounce buffers.\n\nRoot cause:\nWhen a disconnect happens during a multi-segment DMA transfer, the\nrequest's num_mapped_sgs field and sgt.sgl pointer remain set with\nstale values. The request is returned to the gadget driver with status\n-ESHUTDOWN but still has active DMA state. If the gadget driver reuses\nthis request on reconnect without reinitializing it, the stale DMA\nstate causes _hardware_enqueue() to skip DMA mapping (seeing non-zero\nnum_mapped_sgs) and attempt to use freed/invalid DMA addresses,\nleading to alignment errors and potential memory corruption.\n\nThe normal completion path via _hardware_dequeue() properly calls\nusb_gadget_unmap_request_by_dev() and sglist_do_debounce() before\nreturning the request. The _ep_nuke() path must do the same cleanup\nto ensure requests are returned in a clean, reusable state.\n\nFix:\nAdd DMA unmapping and bounce buffer cleanup to _ep_nuke() to mirror\nthe cleanup sequence in _hardware_dequeue():\n- Call usb_gadget_unmap_request_by_dev() if num_mapped_sgs is set\n- Call sglist_do_debounce() with copy=false if bounce buffer exists\n\nThis ensures that when requests are returned due to endpoint shutdown,\nthey don't retain stale DMA mappings. The 'false' parameter to\nsglist_do_debounce() prevents copying data back (appropriate for\nshutdown path where transfer was aborted)."}], "lastModified": "2026-05-12T18:51:16.140", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3C0B1026-23F7-4F83-B19F-153326AAEC72", "versionEndExcluding": "6.12.75", "versionStartIncluding": "2.6.29"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B4B8CDA9-BADF-4CF5-8B3B-702DE8EEA40B", "versionEndExcluding": "6.18.16", "versionStartIncluding": "6.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67", "versionEndExcluding": "6.19.6", "versionStartIncluding": "6.19"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}