VYPR
← All advisories
Unrated severityNVD Advisory· Published May 13, 2026

CVE-2026-43488

CVE-2026-43488

Description

In the Linux kernel, the following vulnerability has been resolved:

usb: xhci: Prevent interrupt storm on host controller error (HCE)

The xHCI controller reports a Host Controller Error (HCE) in UAS Storage Device plug/unplug scenarios on Android devices. HCE is checked in xhci_irq() function and causes an interrupt storm (since the interrupt isn’t cleared), leading to severe system-level faults.

When the xHC controller reports HCE in the interrupt handler, the driver only logs a warning and assumes xHC activity will stop as stated in xHCI specification. An interrupt storm does however continue on some hosts even after HCE, and only ceases after manually disabling xHC interrupt and stopping the controller by calling xhci_halt().

Add xhci_halt() to xhci_irq() function where STS_HCE status is checked, mirroring the existing error handling pattern used for STS_FATAL errors.

This only fixes the interrupt storm. Proper HCE recovery requires resetting and re-initializing the xHC.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A missing xhci_halt() call in the Linux kernel's xHCI interrupt handler causes an interrupt storm when a Host Controller Error (HCE) occurs, leading to system faults.

Vulnerability

Overview

In the Linux kernel's USB xHCI driver, a Host Controller Error (HCE) can be triggered during UAS Storage Device plug/unplug scenarios on Android devices. When the HCE status is detected in the xhci_irq() interrupt handler, the driver previously only logged a warning and assumed the controller would stop activity as per the xHCI specification. However, on some hosts, the interrupt continues to fire after HCE, causing an interrupt storm that leads to severe system-level faults.

Exploitation and

Attack Surface

The vulnerability is triggered by physical USB events (plugging or unplugging a UAS storage device) that cause the xHC to report HCE. No authentication or special privileges are required beyond physical access to a USB port. The interrupt storm occurs because the driver does not disable the xHC interrupt or halt the controller when HCE is detected, unlike the existing error handling for STS_FATAL errors.

Impact

An attacker with physical USB access can cause a denial-of-service (DoS) condition by repeatedly plugging/unplugging a UAS device, triggering HCE and the subsequent interrupt storm. This can render the system unresponsive or cause severe performance degradation.

Mitigation

The fix adds a call to xhci_halt() in the xhci_irq() function where STS_HCE is checked, mirroring the pattern used for STS_FATAL errors. This stops the interrupt storm by disabling the xHC interrupt and halting the controller. Proper HCE recovery still requires a full reset and re-initialization of the xHC. The patch has been applied to the stable kernel trees [1][2][3][4].

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

5
d6d5febd1245
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitvia nvd-ref
commit
b2dd9abf8c06
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitvia nvd-ref
commit
6f91f3f08719
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitvia nvd-ref
commit
09ff0099c6cf
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitvia nvd-ref
commit
cd41e0d1df8f
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitvia nvd-ref
commit

Vulnerability mechanics

Root cause

"Missing xHC halt and interrupt disable in the HCE (Host Controller Error) handler path causes an interrupt storm because the interrupt status bit is never cleared."

Attack vector

An attacker with physical access can trigger a Host Controller Error (HCE) by repeatedly plugging and unplugging a UAS Storage Device on an Android device. When the xHC controller reports HCE in xhci_irq(), the driver only logs a warning and does not clear the interrupt or halt the controller. On some hosts the xHC continues asserting the interrupt line, causing an interrupt storm that leads to severe system-level faults.

Affected code

The vulnerability is in the xhci_irq() interrupt handler within the xHCI host controller driver. When STS_HCE (Host Controller Error) is detected, the handler previously only logged a warning and returned without halting the controller or disabling the interrupt. The fix adds a call to xhci_halt() in this code path.

What the fix does

The patch adds a call to xhci_halt() inside the STS_HCE handling block of xhci_irq(), mirroring the existing pattern used for STS_FATAL errors. By halting the xHC and disabling its interrupts, the controller stops asserting the interrupt line, which breaks the interrupt storm. The fix does not implement full HCE recovery (which requires a reset and re-initialization), but it eliminates the immediate system-level fault caused by the storm.

Preconditions

  • inputAttacker must be able to physically plug/unplug a UAS Storage Device to trigger HCE
  • networkNo network access required; attack is physical/local

Generated on May 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.