CVE-2026-43426
Description
In the Linux kernel, the following vulnerability has been resolved:
usb: renesas_usbhs: fix use-after-free in ISR during device removal
In usbhs_remove(), the driver frees resources (including the pipe array) while the interrupt handler (usbhs_interrupt) is still registered. If an interrupt fires after usbhs_pipe_remove() but before the driver is fully unbound, the ISR may access freed memory, causing a use-after-free.
Fix this by calling devm_free_irq() before freeing resources. This ensures the interrupt handler is both disabled and synchronized (waits for any running ISR to complete) before usbhs_pipe_remove() is called.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Use-after-free in Linux kernel renesas_usbhs driver during device removal due to ISR accessing freed memory.
Vulnerability
In the Linux kernel's renesas_usbhs driver, a use-after-free vulnerability exists during device removal. The usbhs_remove() function frees resources, including the pipe array, before the interrupt handler (usbhs_interrupt) is deregistered. If an interrupt fires after usbhs_pipe_remove() but before the driver is fully unbound, the ISR may access freed memory [1][2][3].
Exploitation
An attacker with physical access or control over the USB device could potentially trigger a removal sequence (e.g., unbind the driver or disconnect the device) while interrupts remain enabled. No special privileges beyond normal user access to trigger device removal are required, though the attack surface is limited to systems using the renesas_usbhs driver.
Impact
Successful exploitation could lead to memory corruption, system crash (denial of service), or potentially arbitrary code execution in kernel context, depending on the memory layout and timing.
Mitigation
The fix, backported to stable kernel branches [1][2][3], ensures that devm_free_irq() is called before freeing resources. This disables the interrupt and waits for any in-progress ISR to complete, eliminating the race condition.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/0b7d11fd6e742ecc0b1eca44b4f0b93140c74baenvd
- git.kernel.org/stable/c/1899edac312ef17a7234851686e8a703f56d0a84nvd
- git.kernel.org/stable/c/3cbc242b88c607f55da3d0d0d336b49bf1e20412nvd
- git.kernel.org/stable/c/51afaf919bbaacdd9cc9e146033ae0a743a42dd7nvd
- git.kernel.org/stable/c/6287e0c01ccb818e7214f88d885ffb7c9e81b0e0nvd
- git.kernel.org/stable/c/6ffe44f022c95b1b29c691d2169c5abc046f7580nvd
- git.kernel.org/stable/c/9c6159d5b72d5fc265cce5da04f27d730b552e69nvd
- git.kernel.org/stable/c/c7012fc73dab4829404fedeeaa8531f12ac8545fnvd
News mentions
0No linked articles in our index yet.