{"id":"CVE-2026-43324","summary":"USB: dummy-hcd: Fix interrupt synchronization error","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: dummy-hcd: Fix interrupt synchronization error\n\nThis fixes an error in synchronization in the dummy-hcd driver.  The\nerror has a somewhat involved history.  The synchronization mechanism\nwas introduced by commit 7dbd8f4cabd9 (\"USB: dummy-hcd: Fix erroneous\nsynchronization change\"), which added an emulated \"interrupts enabled\"\nflag together with code emulating synchronize_irq() (it waits until\nall current handler callbacks have returned).\n\nBut the emulated interrupt-disable occurred too late, after the driver\ncontaining the handler callback routines had been told that it was\nunbound and no more callbacks would occur.  Commit 4a5d797a9f9c (\"usb:\ngadget: dummy_hcd: fix gpf in gadget_setup\") tried to fix this by\nmoving the synchronize_irq() emulation code from dummy_stop() to\ndummy_pullup(), which runs before the unbind callback.\n\nThere still were races, though, because the emulated interrupt-disable\nstill occurred too late.  It couldn't be moved to dummy_pullup(),\nbecause that routine can be called for reasons other than an impending\nunbind.  Therefore commits 7dc0c55e9f30 (\"USB: UDC core: Add\nudc_async_callbacks gadget op\") and 04145a03db9d (\"USB: UDC: Implement\nudc_async_callbacks in dummy-hcd\") added an API allowing the UDC core\nto tell dummy-hcd exactly when emulated interrupts and their callbacks\nshould be disabled.\n\nThat brings us to the current state of things, which is still wrong\nbecause the emulated synchronize_irq() occurs before the emulated\ninterrupt-disable!  That's no good, beause it means that more emulated\ninterrupts can occur after the synchronize_irq() emulation has run,\nleading to the possibility that a callback handler may be running when\nthe gadget driver is unbound.\n\nTo fix this, we have to move the synchronize_irq() emulation code yet\nagain, to the dummy_udc_async_callbacks() routine, which takes care of\nenabling and disabling emulated interrupt requests.  The\nsynchronization will now run immediately after emulated interrupts are\ndisabled, which is where it belongs.","modified":"2026-07-08T08:13:29.673114939Z","published":"2026-05-08T13:31:08.850Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43324.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/2ca9e46f8f1f5a297eb0ac83f79d35d5b3a02541"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5687a09776069bd915560021c9728ca528440128"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5aa776c8615bea3b1eaeec87b0788375800ead4f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8bcd80219d8e10e660bf29b20e41bb8beb4e4cb7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/94d4fab1dd9e64f45449bcc7d6a5acf796b13015"},{"type":"WEB","url":"https://git.kernel.org/stable/c/cbf7df5e5d27cd5bea92ee9a75a4b28dbcc718d4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d847f375b1bcea713143bc02720d13d2d01b012a"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43324.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43324"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"04145a03db9d78469e0817ab3a767c76c0fb0947"},{"fixed":"d847f375b1bcea713143bc02720d13d2d01b012a"},{"fixed":"cbf7df5e5d27cd5bea92ee9a75a4b28dbcc718d4"},{"fixed":"5aa776c8615bea3b1eaeec87b0788375800ead4f"},{"fixed":"94d4fab1dd9e64f45449bcc7d6a5acf796b13015"},{"fixed":"5687a09776069bd915560021c9728ca528440128"},{"fixed":"8bcd80219d8e10e660bf29b20e41bb8beb4e4cb7"},{"fixed":"2ca9e46f8f1f5a297eb0ac83f79d35d5b3a02541"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43324.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.14.0"},{"fixed":"5.15.203"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.168"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.134"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.81"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.22"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.12"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43324.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}