{"api_version":"1","generated_at":"2026-05-13T07:47:44+00:00","cve":"CVE-2026-43426","urls":{"html":"https://cve.report/CVE-2026-43426","api":"https://cve.report/api/cve/CVE-2026-43426.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-43426","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-43426"},"summary":{"title":"usb: renesas_usbhs: fix use-after-free in ISR during device removal","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: renesas_usbhs: fix use-after-free in ISR during device removal\n\nIn usbhs_remove(), the driver frees resources (including the pipe array)\nwhile the interrupt handler (usbhs_interrupt) is still registered. If an\ninterrupt fires after usbhs_pipe_remove() but before the driver is fully\nunbound, the ISR may access freed memory, causing a use-after-free.\n\nFix this by calling devm_free_irq() before freeing resources. This ensures\nthe interrupt handler is both disabled and synchronized (waits for any\nrunning ISR to complete) before usbhs_pipe_remove() is called.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-05-08 15:16:54","updated_at":"2026-05-12 14:10:27"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/6287e0c01ccb818e7214f88d885ffb7c9e81b0e0","name":"https://git.kernel.org/stable/c/6287e0c01ccb818e7214f88d885ffb7c9e81b0e0","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/3cbc242b88c607f55da3d0d0d336b49bf1e20412","name":"https://git.kernel.org/stable/c/3cbc242b88c607f55da3d0d0d336b49bf1e20412","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/51afaf919bbaacdd9cc9e146033ae0a743a42dd7","name":"https://git.kernel.org/stable/c/51afaf919bbaacdd9cc9e146033ae0a743a42dd7","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/0b7d11fd6e742ecc0b1eca44b4f0b93140c74bae","name":"https://git.kernel.org/stable/c/0b7d11fd6e742ecc0b1eca44b4f0b93140c74bae","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/1899edac312ef17a7234851686e8a703f56d0a84","name":"https://git.kernel.org/stable/c/1899edac312ef17a7234851686e8a703f56d0a84","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/9c6159d5b72d5fc265cce5da04f27d730b552e69","name":"https://git.kernel.org/stable/c/9c6159d5b72d5fc265cce5da04f27d730b552e69","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/6ffe44f022c95b1b29c691d2169c5abc046f7580","name":"https://git.kernel.org/stable/c/6ffe44f022c95b1b29c691d2169c5abc046f7580","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/c7012fc73dab4829404fedeeaa8531f12ac8545f","name":"https://git.kernel.org/stable/c/c7012fc73dab4829404fedeeaa8531f12ac8545f","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-43426","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43426","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 c7012fc73dab4829404fedeeaa8531f12ac8545f git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 51afaf919bbaacdd9cc9e146033ae0a743a42dd7 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 1899edac312ef17a7234851686e8a703f56d0a84 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 9c6159d5b72d5fc265cce5da04f27d730b552e69 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 6287e0c01ccb818e7214f88d885ffb7c9e81b0e0 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 0b7d11fd6e742ecc0b1eca44b4f0b93140c74bae git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 6ffe44f022c95b1b29c691d2169c5abc046f7580 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected f1407d5c66240b33d11a7f1a41d55ccf6a9d7647 3cbc242b88c607f55da3d0d0d336b49bf1e20412 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3.0","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 3.0 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.253 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.203 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.167 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.130 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.78 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.19 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.9 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"43426","cve":"CVE-2026-43426","epss":"0.000240000","percentile":"0.070360000","score_date":"2026-05-12","updated_at":"2026-05-13 00:11:53"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/usb/renesas_usbhs/common.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"c7012fc73dab4829404fedeeaa8531f12ac8545f","status":"affected","version":"f1407d5c66240b33d11a7f1a41d55ccf6a9d7647","versionType":"git"},{"lessThan":"51afaf919bbaacdd9cc9e146033ae0a743a42dd7","status":"affected","version":"f1407d5c66240b33d11a7f1a41d55ccf6a9d7647","versionType":"git"},{"lessThan":"1899edac312ef17a7234851686e8a703f56d0a84","status":"affected","version":"f1407d5c66240b33d11a7f1a41d55ccf6a9d7647","versionType":"git"},{"lessThan":"9c6159d5b72d5fc265cce5da04f27d730b552e69","status":"affected","version":"f1407d5c66240b33d11a7f1a41d55ccf6a9d7647","versionType":"git"},{"lessThan":"6287e0c01ccb818e7214f88d885ffb7c9e81b0e0","status":"affected","version":"f1407d5c66240b33d11a7f1a41d55ccf6a9d7647","versionType":"git"},{"lessThan":"0b7d11fd6e742ecc0b1eca44b4f0b93140c74bae","status":"affected","version":"f1407d5c66240b33d11a7f1a41d55ccf6a9d7647","versionType":"git"},{"lessThan":"6ffe44f022c95b1b29c691d2169c5abc046f7580","status":"affected","version":"f1407d5c66240b33d11a7f1a41d55ccf6a9d7647","versionType":"git"},{"lessThan":"3cbc242b88c607f55da3d0d0d336b49bf1e20412","status":"affected","version":"f1407d5c66240b33d11a7f1a41d55ccf6a9d7647","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["drivers/usb/renesas_usbhs/common.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"3.0"},{"lessThan":"3.0","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.253","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.203","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.167","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.130","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.78","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.19","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.9","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.253","versionStartIncluding":"3.0","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.203","versionStartIncluding":"3.0","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.167","versionStartIncluding":"3.0","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.130","versionStartIncluding":"3.0","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.78","versionStartIncluding":"3.0","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.19","versionStartIncluding":"3.0","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.9","versionStartIncluding":"3.0","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"3.0","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: renesas_usbhs: fix use-after-free in ISR during device removal\n\nIn usbhs_remove(), the driver frees resources (including the pipe array)\nwhile the interrupt handler (usbhs_interrupt) is still registered. If an\ninterrupt fires after usbhs_pipe_remove() but before the driver is fully\nunbound, the ISR may access freed memory, causing a use-after-free.\n\nFix this by calling devm_free_irq() before freeing resources. This ensures\nthe interrupt handler is both disabled and synchronized (waits for any\nrunning ISR to complete) before usbhs_pipe_remove() is called."}],"providerMetadata":{"dateUpdated":"2026-05-11T22:24:21.643Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/c7012fc73dab4829404fedeeaa8531f12ac8545f"},{"url":"https://git.kernel.org/stable/c/51afaf919bbaacdd9cc9e146033ae0a743a42dd7"},{"url":"https://git.kernel.org/stable/c/1899edac312ef17a7234851686e8a703f56d0a84"},{"url":"https://git.kernel.org/stable/c/9c6159d5b72d5fc265cce5da04f27d730b552e69"},{"url":"https://git.kernel.org/stable/c/6287e0c01ccb818e7214f88d885ffb7c9e81b0e0"},{"url":"https://git.kernel.org/stable/c/0b7d11fd6e742ecc0b1eca44b4f0b93140c74bae"},{"url":"https://git.kernel.org/stable/c/6ffe44f022c95b1b29c691d2169c5abc046f7580"},{"url":"https://git.kernel.org/stable/c/3cbc242b88c607f55da3d0d0d336b49bf1e20412"}],"title":"usb: renesas_usbhs: fix use-after-free in ISR during device removal","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-43426","datePublished":"2026-05-08T14:21:59.668Z","dateReserved":"2026-05-01T14:12:56.009Z","dateUpdated":"2026-05-11T22:24:21.643Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-08 15:16:54","lastModifiedDate":"2026-05-12 14:10:27","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"43426","Ordinal":"1","Title":"usb: renesas_usbhs: fix use-after-free in ISR during device remo","CVE":"CVE-2026-43426","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"43426","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: renesas_usbhs: fix use-after-free in ISR during device removal\n\nIn usbhs_remove(), the driver frees resources (including the pipe array)\nwhile the interrupt handler (usbhs_interrupt) is still registered. If an\ninterrupt fires after usbhs_pipe_remove() but before the driver is fully\nunbound, the ISR may access freed memory, causing a use-after-free.\n\nFix this by calling devm_free_irq() before freeing resources. This ensures\nthe interrupt handler is both disabled and synchronized (waits for any\nrunning ISR to complete) before usbhs_pipe_remove() is called.","Type":"Description","Title":"usb: renesas_usbhs: fix use-after-free in ISR during device remo"}]}}}