USB: dummy-hcd: Fix locking/synchronization error

Summary

CVE	CVE-2026-43327
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-05-08 14:16:42 UTC
Updated	2026-05-15 18:05:56 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: USB: dummy-hcd: Fix locking/synchronization error Syzbot testing was able to provoke an addressing exception and crash in the usb_gadget_udc_reset() routine in drivers/usb/gadgets/udc/core.c, resulting from the fact that the routine was called with a second ("driver") argument of NULL. The bad caller was set_link_state() in dummy_hcd.c, and the problem arose because of a race between a USB reset and driver unbind. These sorts of races were not supposed to be possible; commit 7dbd8f4cabd9 ("USB: dummy-hcd: Fix erroneous synchronization change"), along with a few followup commits, was written specifically to prevent them. As it turns out, there are (at least) two errors remaining in the code. Another patch will address the second error; this one is concerned with the first. The error responsible for the syzbot crash occurred because the stop_activity() routine will sometimes drop and then re-acquire the dum->lock spinlock. A call to stop_activity() occurs in set_link_state() when handling an emulated USB reset, after the test of dum->ints_enabled and before the increment of dum->callback_usage. This allowed another thread (doing a driver unbind) to sneak in and grab the spinlock, and then clear dum->ints_enabled and dum->driver. Normally this other thread would have to wait for dum->callback_usage to go down to 0 before it would clear dum->driver, but in this case it didn't have to wait since dum->callback_usage had not yet been incremented. The fix is to increment dum->callback_usage _before_ calling stop_activity() instead of after. Then the thread doing the unbind will not clear dum->driver until after the call to usb_gadget_udc_reset() safely returns and dum->callback_usage has been decremented again.

Risk And Classification

Primary CVSS: v3.1 5.5 MEDIUM from [email protected]

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS: 0.000240000 probability, percentile 0.070360000 (date 2026-05-12)

Problem Types: CWE-667

CVSS v3.1 Breakdown

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Linux	Linux Kernel	All	All	All	All

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected 7dbd8f4cabd96db5a50513de9d83a8105a5ffc81 6350c7dd33ab481ef41c931a238361490c32d15c git	Not specified
CNA	Linux	Linux	affected 7dbd8f4cabd96db5a50513de9d83a8105a5ffc81 cc97fb5969177cccce2e23b31298df220fc7570d git	Not specified
CNA	Linux	Linux	affected 7dbd8f4cabd96db5a50513de9d83a8105a5ffc81 218886b2ef2dea7627d3700ab0abaf4bf9d1161f git	Not specified
CNA	Linux	Linux	affected 7dbd8f4cabd96db5a50513de9d83a8105a5ffc81 791966f85b439b261bf19865cf1c07c065ffb4b4 git	Not specified
CNA	Linux	Linux	affected 7dbd8f4cabd96db5a50513de9d83a8105a5ffc81 805b1833d6ed6da5086e610578a28e71bb54fbbb git	Not specified
CNA	Linux	Linux	affected 7dbd8f4cabd96db5a50513de9d83a8105a5ffc81 efbd9441f1e769a7aae1813d497cec09cbdff031 git	Not specified
CNA	Linux	Linux	affected 7dbd8f4cabd96db5a50513de9d83a8105a5ffc81 69ab97a693251d6a6093e630060a3c744fd58524 git	Not specified
CNA	Linux	Linux	affected 7dbd8f4cabd96db5a50513de9d83a8105a5ffc81 616a63ff495df12863692ab3f9f7b84e3fa7a66d git	Not specified
CNA	Linux	Linux	affected 7b416b9dac6ede26d4ca0c1a88b448b543623ff3 git	Not specified
CNA	Linux	Linux	affected 8590bc1da625dd4a589eac0fc3aa3cf4f400424d git	Not specified
CNA	Linux	Linux	affected a867d5b932ac4911d3f8a1e63505061b0c81f889 git	Not specified
CNA	Linux	Linux	affected e84b4a008365b7edbd842a063ae28d040a98db25 git	Not specified
CNA	Linux	Linux	affected e39b17143a5b5aac81f066d455e5d3a9877eb3ae git	Not specified
CNA	Linux	Linux	affected 4f8ae1fcb0dfbb72a7678f81bf01fb7fc85c6715 git	Not specified
CNA	Linux	Linux	affected 4.14	Not specified
CNA	Linux	Linux	unaffected 4.14 semver	Not specified
CNA	Linux	Linux	unaffected 5.10.253 5.10.* semver	Not specified
CNA	Linux	Linux	unaffected 5.15.203 5.15.* semver	Not specified
CNA	Linux	Linux	unaffected 6.1.168 6.1.* semver	Not specified
CNA	Linux	Linux	unaffected 6.6.134 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.81 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.22 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 6.19.12 6.19.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0 * original_commit_for_fix	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/efbd9441f1e769a7aae1813d497cec09cbdff031	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/6350c7dd33ab481ef41c931a238361490c32d15c	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/616a63ff495df12863692ab3f9f7b84e3fa7a66d	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/cc97fb5969177cccce2e23b31298df220fc7570d	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/218886b2ef2dea7627d3700ab0abaf4bf9d1161f	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/69ab97a693251d6a6093e630060a3c744fd58524	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/791966f85b439b261bf19865cf1c07c065ffb4b4	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/805b1833d6ed6da5086e610578a28e71bb54fbbb	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.