{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-43426", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-05-01T14:12:56.009Z", "datePublished": "2026-05-08T14:21:59.668Z", "dateUpdated": "2026-05-08T14:21:59.668Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-08T14:21:59.668Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: renesas_usbhs: fix use-after-free in ISR during device removal\n\nIn usbhs_remove(), the driver frees resources (including the pipe array)\nwhile the interrupt handler (usbhs_interrupt) is still registered. If an\ninterrupt fires after usbhs_pipe_remove() but before the driver is fully\nunbound, the ISR may access freed memory, causing a use-after-free.\n\nFix this by calling devm_free_irq() before freeing resources. This ensures\nthe interrupt handler is both disabled and synchronized (waits for any\nrunning ISR to complete) before usbhs_pipe_remove() is called."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/usb/renesas_usbhs/common.c"], "versions": [{"version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647", "lessThan": "c7012fc73dab4829404fedeeaa8531f12ac8545f", "status": "affected", "versionType": "git"}, {"version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647", "lessThan": "51afaf919bbaacdd9cc9e146033ae0a743a42dd7", "status": "affected", "versionType": "git"}, {"version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647", "lessThan": "1899edac312ef17a7234851686e8a703f56d0a84", "status": "affected", "versionType": "git"}, {"version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647", "lessThan": "9c6159d5b72d5fc265cce5da04f27d730b552e69", "status": "affected", "versionType": "git"}, {"version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647", "lessThan": "6287e0c01ccb818e7214f88d885ffb7c9e81b0e0", "status": "affected", "versionType": "git"}, {"version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647", "lessThan": "0b7d11fd6e742ecc0b1eca44b4f0b93140c74bae", "status": "affected", "versionType": "git"}, {"version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647", "lessThan": "6ffe44f022c95b1b29c691d2169c5abc046f7580", "status": "affected", "versionType": "git"}, {"version": "f1407d5c66240b33d11a7f1a41d55ccf6a9d7647", "lessThan": "3cbc242b88c607f55da3d0d0d336b49bf1e20412", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/usb/renesas_usbhs/common.c"], "versions": [{"version": "3.0", "status": "affected"}, {"version": "0", "lessThan": "3.0", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.19", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.9", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0", "versionEndExcluding": "6.18.19"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0", "versionEndExcluding": "6.19.9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/c7012fc73dab4829404fedeeaa8531f12ac8545f"}, {"url": "https://git.kernel.org/stable/c/51afaf919bbaacdd9cc9e146033ae0a743a42dd7"}, {"url": "https://git.kernel.org/stable/c/1899edac312ef17a7234851686e8a703f56d0a84"}, {"url": "https://git.kernel.org/stable/c/9c6159d5b72d5fc265cce5da04f27d730b552e69"}, {"url": "https://git.kernel.org/stable/c/6287e0c01ccb818e7214f88d885ffb7c9e81b0e0"}, {"url": "https://git.kernel.org/stable/c/0b7d11fd6e742ecc0b1eca44b4f0b93140c74bae"}, {"url": "https://git.kernel.org/stable/c/6ffe44f022c95b1b29c691d2169c5abc046f7580"}, {"url": "https://git.kernel.org/stable/c/3cbc242b88c607f55da3d0d0d336b49bf1e20412"}], "title": "usb: renesas_usbhs: fix use-after-free in ISR during device removal", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: renesas_usbhs: fix use-after-free in ISR during device removal\n\nIn usbhs_remove(), the driver frees resources (including the pipe array)\nwhile the interrupt handler (usbhs_interrupt) is still registered. If an\ninterrupt fires after usbhs_pipe_remove() but before the driver is fully\nunbound, the ISR may access freed memory, causing a use-after-free.\n\nFix this by calling devm_free_irq() before freeing resources. This ensures\nthe interrupt handler is both disabled and synchronized (waits for any\nrunning ISR to complete) before usbhs_pipe_remove() is called."}], "id": "CVE-2026-43426", "lastModified": "2026-05-08T15:16:54.740", "metrics": {}, "published": "2026-05-08T15:16:54.740", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0b7d11fd6e742ecc0b1eca44b4f0b93140c74bae"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1899edac312ef17a7234851686e8a703f56d0a84"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3cbc242b88c607f55da3d0d0d336b49bf1e20412"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/51afaf919bbaacdd9cc9e146033ae0a743a42dd7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6287e0c01ccb818e7214f88d885ffb7c9e81b0e0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6ffe44f022c95b1b29c691d2169c5abc046f7580"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9c6159d5b72d5fc265cce5da04f27d730b552e69"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c7012fc73dab4829404fedeeaa8531f12ac8545f"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{"bugzilla": {"description": "kernel: usb: renesas_usbhs: fix use-after-free in ISR during device removal", "id": "2468253", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2468253"}, "csaw": false, "cwe": "CWE-364", "details": ["A flaw was found in the Linux kernel's `renesas_usbhs` driver. This vulnerability occurs during the removal of a USB device, where the driver frees memory resources before fully unregistering its interrupt handler. If an interrupt fires during this critical window, the interrupt service routine (ISR) attempts to access memory that has already been deallocated, leading to a use-after-free condition. This can result in system instability or a denial of service (DoS)."], "name": "CVE-2026-43426", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-05-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-43426\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-43426\nhttps://lore.kernel.org/linux-cve-announce/2026050849-CVE-2026-43426-eef1@gregkh/T"]}