CVE-2026-43250

Source
https://cve.org/CVERecord?id=CVE-2026-43250
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43250.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-43250
Downstream
Published
2026-05-06T11:28:41.158Z
Modified
2026-06-18T03:56:13.791130709Z
Summary
usb: chipidea: udc: fix DMA and SG cleanup in _ep_nuke()
Details

In the Linux kernel, the following vulnerability has been resolved:

usb: chipidea: udc: fix DMA and SG cleanup in epnuke()

The ChipIdea UDC driver can encounter "not page aligned sg buffer" errors when a USB device is reconnected after being disconnected during an active transfer. This occurs because epnuke() returns requests to the gadget layer without properly unmapping DMA buffers or cleaning up scatter-gather bounce buffers.

Root cause: When a disconnect happens during a multi-segment DMA transfer, the request's nummappedsgs field and sgt.sgl pointer remain set with stale values. The request is returned to the gadget driver with status -ESHUTDOWN but still has active DMA state. If the gadget driver reuses this request on reconnect without reinitializing it, the stale DMA state causes hardwareenqueue() to skip DMA mapping (seeing non-zero nummappedsgs) and attempt to use freed/invalid DMA addresses, leading to alignment errors and potential memory corruption.

The normal completion path via hardwaredequeue() properly calls usbgadgetunmaprequestbydev() and sglistdo_debounce() before returning the request. The epnuke() path must do the same cleanup to ensure requests are returned in a clean, reusable state.

Fix: Add DMA unmapping and bounce buffer cleanup to epnuke() to mirror the cleanup sequence in hardwaredequeue(): - Call usbgadgetunmaprequestbydev() if nummappedsgs is set - Call sglistdo_debounce() with copy=false if bounce buffer exists

This ensures that when requests are returned due to endpoint shutdown, they don't retain stale DMA mappings. The 'false' parameter to sglistdodebounce() prevents copying data back (appropriate for shutdown path where transfer was aborted).

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43250.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
aa69a8093ff985873cb44fe1157bd6db29a20fe4
Fixed
1b72b834511d17f4d069d512f78671f3f210a2f1
Fixed
f4fbf2d4750d12ac8525d2efac1016fa0d84d4ec
Fixed
e74c436f8568af1c60942469d0a2300b3ada3857
Fixed
cea2a1257a3b5ea3e769a445b34af13e6aa5a123

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43250.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.6.29
Fixed
6.12.75
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.16
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.6

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43250.json"