PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43324 Git CVE debrief

CVE-2026-43324 describes a Linux kernel dummy-hcd synchronization bug in the USB gadget emulation path. The issue is that the emulated synchronize_irq() logic could run before emulated interrupts were actually disabled, which left a race window where callbacks might still execute while the gadget driver was being unbound. The fix moves the synchronization step to the dummy_udc_async_callbacks() path so it runs immediately after emulated interrupts are disabled. NVD rates the issue CVSS 7.8 HIGH with a local, low-privilege attack vector.

Vendor
Git
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-11
Advisory published
2026-05-08
Advisory updated
2026-05-11

Who should care

Linux kernel maintainers, distribution security teams, and operators using dummy-hcd or USB gadget emulation in test, development, or virtualization-like environments should review this advisory. Kernel teams handling backports should pay attention to the ordering fix in the dummy-hcd interrupt and unbind flow.

Technical summary

According to the CVE description, dummy-hcd implemented an emulated 'interrupts enabled' state and an emulated synchronize_irq() wait. That synchronization was placed too early in the unbind flow, before emulated interrupts were disabled, so new emulated interrupts could still arrive afterward. The corrected design moves the synchronization into dummy_udc_async_callbacks(), which is the point where interrupt enable/disable decisions are made, ensuring callbacks are quiesced after interrupts are disabled and before unbind completes.

Defensive priority

High. The source corpus assigns CVSS 7.8 HIGH and the bug affects kernel callback synchronization during device unbind, so it should be prioritized for kernel patching and backport verification where dummy-hcd is present.

Recommended defensive actions

  • Apply the kernel fix that relocates the synchronization step into dummy_udc_async_callbacks().
  • Backport the fix to supported Linux kernel branches that include dummy-hcd and the affected callback-disable logic.
  • Verify any build, CI, or lab systems that rely on dummy-hcd USB gadget emulation are updated.
  • If you maintain downstream kernels, confirm the patch ordering preserves 'disable interrupts first, then synchronize, then unbind' semantics.
  • Track vendor advisories and stable kernel backports referenced by the official git.kernel.org links.

Evidence notes

Source corpus states the vulnerability was published 2026-05-08 and modified 2026-05-11. The NVD record gives CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H and marks the status as 'Received.' The CVE description explains the race condition and the fix location. NVD includes multiple official git.kernel.org stable commit references, but no affected-version range, CPE criteria, or KEV entry is provided in the supplied data.

Official resources

Publicly listed in the CVE record on 2026-05-08, with the NVD entry modified on 2026-05-11.