DEBIAN-CVE-2026-43488
- Source
- https://security-tracker.debian.org/tracker/CVE-2026-43488
- Import Source
- https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-43488.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2026-43488
- Upstream
- Published
- 2026-05-13T16:16:52.107Z
- Modified
- 2026-05-14T16:00:12.450277406Z
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Prevent interrupt storm on host controller error (HCE) The xHCI controller reports a Host Controller Error (HCE) in UAS Storage Device plug/unplug scenarios on Android devices. HCE is checked in xhciirq() function and causes an interrupt storm (since the interrupt isn’t cleared), leading to severe system-level faults. When the xHC controller reports HCE in the interrupt handler, the driver only logs a warning and assumes xHC activity will stop as stated in xHCI specification. An interrupt storm does however continue on some hosts even after HCE, and only ceases after manually disabling xHC interrupt and stopping the controller by calling xhcihalt(). Add xhcihalt() to xhciirq() function where STSHCE status is checked, mirroring the existing error handling pattern used for STSFATAL errors. This only fixes the interrupt storm. Proper HCE recovery requires resetting and re-initializing the xHC.
- References
Affected packages
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source&distro=trixie
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.12.85-1
Debian:14 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source&distro=forky
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.19.10-1