{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-43250", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-05-01T14:12:55.996Z", "datePublished": "2026-05-06T11:28:41.158Z", "dateUpdated": "2026-05-06T11:28:41.158Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-06T11:28:41.158Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: chipidea: udc: fix DMA and SG cleanup in _ep_nuke()\n\nThe ChipIdea UDC driver can encounter \"not page aligned sg buffer\"\nerrors when a USB device is reconnected after being disconnected\nduring an active transfer. This occurs because _ep_nuke() returns\nrequests to the gadget layer without properly unmapping DMA buffers\nor cleaning up scatter-gather bounce buffers.\n\nRoot cause:\nWhen a disconnect happens during a multi-segment DMA transfer, the\nrequest's num_mapped_sgs field and sgt.sgl pointer remain set with\nstale values. The request is returned to the gadget driver with status\n-ESHUTDOWN but still has active DMA state. If the gadget driver reuses\nthis request on reconnect without reinitializing it, the stale DMA\nstate causes _hardware_enqueue() to skip DMA mapping (seeing non-zero\nnum_mapped_sgs) and attempt to use freed/invalid DMA addresses,\nleading to alignment errors and potential memory corruption.\n\nThe normal completion path via _hardware_dequeue() properly calls\nusb_gadget_unmap_request_by_dev() and sglist_do_debounce() before\nreturning the request. The _ep_nuke() path must do the same cleanup\nto ensure requests are returned in a clean, reusable state.\n\nFix:\nAdd DMA unmapping and bounce buffer cleanup to _ep_nuke() to mirror\nthe cleanup sequence in _hardware_dequeue():\n- Call usb_gadget_unmap_request_by_dev() if num_mapped_sgs is set\n- Call sglist_do_debounce() with copy=false if bounce buffer exists\n\nThis ensures that when requests are returned due to endpoint shutdown,\nthey don't retain stale DMA mappings. The 'false' parameter to\nsglist_do_debounce() prevents copying data back (appropriate for\nshutdown path where transfer was aborted)."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/usb/chipidea/udc.c"], "versions": [{"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "1b72b834511d17f4d069d512f78671f3f210a2f1", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "f4fbf2d4750d12ac8525d2efac1016fa0d84d4ec", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "e74c436f8568af1c60942469d0a2300b3ada3857", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "cea2a1257a3b5ea3e769a445b34af13e6aa5a123", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/usb/chipidea/udc.c"], "versions": [{"version": "6.12.75", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.16", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.6", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.75"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.18.16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.19.6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/1b72b834511d17f4d069d512f78671f3f210a2f1"}, {"url": "https://git.kernel.org/stable/c/f4fbf2d4750d12ac8525d2efac1016fa0d84d4ec"}, {"url": "https://git.kernel.org/stable/c/e74c436f8568af1c60942469d0a2300b3ada3857"}, {"url": "https://git.kernel.org/stable/c/cea2a1257a3b5ea3e769a445b34af13e6aa5a123"}], "title": "usb: chipidea: udc: fix DMA and SG cleanup in _ep_nuke()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: chipidea: udc: fix DMA and SG cleanup in _ep_nuke()\n\nThe ChipIdea UDC driver can encounter \"not page aligned sg buffer\"\nerrors when a USB device is reconnected after being disconnected\nduring an active transfer. This occurs because _ep_nuke() returns\nrequests to the gadget layer without properly unmapping DMA buffers\nor cleaning up scatter-gather bounce buffers.\n\nRoot cause:\nWhen a disconnect happens during a multi-segment DMA transfer, the\nrequest's num_mapped_sgs field and sgt.sgl pointer remain set with\nstale values. The request is returned to the gadget driver with status\n-ESHUTDOWN but still has active DMA state. If the gadget driver reuses\nthis request on reconnect without reinitializing it, the stale DMA\nstate causes _hardware_enqueue() to skip DMA mapping (seeing non-zero\nnum_mapped_sgs) and attempt to use freed/invalid DMA addresses,\nleading to alignment errors and potential memory corruption.\n\nThe normal completion path via _hardware_dequeue() properly calls\nusb_gadget_unmap_request_by_dev() and sglist_do_debounce() before\nreturning the request. The _ep_nuke() path must do the same cleanup\nto ensure requests are returned in a clean, reusable state.\n\nFix:\nAdd DMA unmapping and bounce buffer cleanup to _ep_nuke() to mirror\nthe cleanup sequence in _hardware_dequeue():\n- Call usb_gadget_unmap_request_by_dev() if num_mapped_sgs is set\n- Call sglist_do_debounce() with copy=false if bounce buffer exists\n\nThis ensures that when requests are returned due to endpoint shutdown,\nthey don't retain stale DMA mappings. The 'false' parameter to\nsglist_do_debounce() prevents copying data back (appropriate for\nshutdown path where transfer was aborted)."}], "id": "CVE-2026-43250", "lastModified": "2026-05-06T13:07:51.607", "metrics": {}, "published": "2026-05-06T12:16:45.620", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1b72b834511d17f4d069d512f78671f3f210a2f1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/cea2a1257a3b5ea3e769a445b34af13e6aa5a123"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e74c436f8568af1c60942469d0a2300b3ada3857"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f4fbf2d4750d12ac8525d2efac1016fa0d84d4ec"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{}