PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43426 Linux CVE debrief

CVE-2026-43426 is a Linux kernel use-after-free in the Renesas USBHS driver’s interrupt handling during device removal. The public record says usbhs_remove() freed driver resources, including the pipe array, while usbhs_interrupt() was still registered. If an interrupt arrived after usbhs_pipe_remove() but before unbind completed, the ISR could dereference freed memory. The fix moves devm_free_irq() earlier so the interrupt handler is disabled and synchronized before resources are released.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-20
Advisory published
2026-05-08
Advisory updated
2026-05-20

Who should care

Linux kernel maintainers, distribution security teams, and operators of systems that include the renesas_usbhs driver in affected kernel branches. This is most relevant anywhere kernel updates are staged slowly or embedded/industrial deployments remain on older stable releases.

Technical summary

NVD classifies the issue as CWE-416 (use-after-free) with CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. According to the record, affected Linux kernel ranges span multiple stable branches: 3.0 through 5.10.252, 5.11 through 5.15.202, 5.16 through 6.1.166, 6.2 through 6.6.129, 6.7 through 6.12.77, 6.13 through 6.18.18, 6.19 through 6.19.8, plus 7.0-rc1 through 7.0-rc4. The described fix is to call devm_free_irq() before usbhs_pipe_remove(), ensuring the IRQ handler is disabled and any running ISR completes before the driver frees the pipe array and related resources.

Defensive priority

High. The issue is locally reachable, but it affects kernel memory safety and carries high confidentiality, integrity, and availability impact in the CVSS record. Prioritize upgrades on systems that ship or use the affected driver.

Recommended defensive actions

  • Upgrade to a fixed kernel release in the affected branch line: 5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, or 6.19.9, as appropriate for your branch.
  • Apply the referenced stable kernel patches from the official kernel.org links if you maintain downstream kernels.
  • Confirm whether your hardware and kernel configuration actually use the renesas_usbhs driver, then prioritize those hosts for remediation.
  • Track device-removal and hot-unplug test paths in validation, because the vulnerable path is in usbhs_remove() and interrupt teardown ordering.
  • If immediate patching is not possible, reduce exposure by limiting local administrative access on affected hosts and accelerating kernel maintenance windows.

Evidence notes

This debrief is based only on the supplied NVD record and official kernel.org patch references. The record lists the issue as analyzed, assigns CWE-416, and provides the CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The source description explicitly states the removal-time ISR use-after-free and the fix order change involving devm_free_irq() before freeing resources. NVD also supplies vulnerable CPE ranges and patch references on git.kernel.org.

Official resources

Publicly disclosed in the CVE/NVD record on 2026-05-08 and last modified in NVD on 2026-05-20. The source record and official patch links indicate the issue was fixed through upstream kernel changes after disclosure.