PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43488 Linux CVE debrief

CVE-2026-43488 describes a Linux kernel xHCI error-handling flaw where a Host Controller Error (HCE) may continue generating interrupts instead of stopping cleanly. In the reported UAS storage plug/unplug scenario on Android devices, that can lead to an interrupt storm and severe system-level faults. The fix adds xhci_halt() to the HCE path in xhci_irq(), matching the existing handling used for fatal errors. The patch stops the storm, but does not provide full HCE recovery; proper recovery still requires resetting and re-initializing the xHC.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-13
Original CVE updated
2026-05-13
Advisory published
2026-05-13
Advisory updated
2026-05-13

Who should care

Kernel maintainers, Linux distribution security teams, Android platform integrators, and operators of systems that rely on USB storage/UAS hotplug paths should prioritize this advisory. Systems that can encounter xHCI Host Controller Error conditions are the most relevant, especially where repeated interrupts can destabilize the machine.

Technical summary

The issue is in the Linux kernel USB xHCI interrupt handler. When STS_HCE is observed, the driver previously logged a warning and assumed controller activity would cease per the xHCI specification. On some hosts, interrupts continue after HCE because the interrupt is not cleared, creating an interrupt storm. The mitigation is to halt the controller in the HCE branch via xhci_halt(), similar to the existing STS_FATAL handling. This change addresses the storm condition, but the description notes that complete HCE recovery still requires controller reset and re-initialization.

Defensive priority

High for environments that expose xHCI/UAS hotplug scenarios, because the issue can escalate into a system-wide denial of service or instability. Even without a CVSS score in the supplied corpus, the described impact warrants prompt kernel update assessment.

Recommended defensive actions

  • Review whether your Linux kernels include the upstream/stable xHCI HCE fix referenced by the supplied kernel commits.
  • Prioritize updates on Android devices and other systems that use USB Attached SCSI (UAS) storage with frequent plug/unplug activity.
  • Monitor for repeated xHCI interrupt activity or instability following USB controller error events.
  • If updating is delayed, reduce exposure to USB storage hotplug paths where operationally feasible.
  • Track downstream vendor advisories and kernel backports for the specific xHCI fix rather than relying on the generic CVE text alone.

Evidence notes

All statements above are derived from the supplied CVE description and official references. The CVE was published and modified at 2026-05-13T16:16:52.107Z in the provided corpus. The references point to kernel.org stable commit URLs, which support that the issue was fixed in Linux kernel code, but no version range or CVSS data was provided in the corpus. The vendor field is unresolved/low confidence, so the debrief treats this as a Linux kernel issue rather than naming a specific product vendor.

Official resources

Publicly published in the supplied corpus on 2026-05-13T16:16:52.107Z. The corpus does not include a CVSS score, affected version bounds, or exploit details.