Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2026-43432— usb: xhci: Fix memory leak in xhci_disable_slot()

AI Predicted 5.5 Difficulty: Moderate EPSS 0.04% · P12

Possible ATT&CK Techniques 1AI

T1499 · Endpoint Denial of Service

Affected Version Matrix 20

VendorProductVersion RangeStatus
LinuxLinuxfee8be5bde562d4f5f9a100ca80c6d7072ed34c8< 1e800e26d54ccf2ddf2ea6d6cbe021c804d8aa62affected
02d5a2a48bb44e7404b794df87e57588b2fd604e< 6288baf0c8c4dcfbf206773aede9c1f2269cec28affected
7faac1953ed1f658f719cdf7bb7303fa5eef822c< 46aea90763832cd6e9b0c2e1c00e6a9512156d4baffected
7faac1953ed1f658f719cdf7bb7303fa5eef822c< 2e2baa8fb5aa4d080cbfeb84c51eff797529f413affected
7faac1953ed1f658f719cdf7bb7303fa5eef822c< 807e4fb5140c73eb5dba1e399a990db5c1f3cdf8affected
7faac1953ed1f658f719cdf7bb7303fa5eef822c< c65f1b840ab8ce72ba68f1b63bab7960f8fdfa89affected
7faac1953ed1f658f719cdf7bb7303fa5eef822c< 078b446efc0f5e496c31bccb72b98af979963a83affected
7faac1953ed1f658f719cdf7bb7303fa5eef822c< c1c8550e70401159184130a1afc6261db01fc0ceaffected
… +12 more rows
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-43432

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
usb: xhci: Fix memory leak in xhci_disable_slot()
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Fix memory leak in xhci_disable_slot() xhci_alloc_command() allocates a command structure and, when the second argument is true, also allocates a completion structure. Currently, the error handling path in xhci_disable_slot() only frees the command structure using kfree(), causing the completion structure to leak. Use xhci_free_command() instead of kfree(). xhci_free_command() correctly frees both the command structure and the associated completion structure. Since the command structure is allocated with zero-initialization, command->in_ctx is NULL and will not be erroneously freed by xhci_free_command(). This bug was found using an experimental static analysis tool we are developing. The tool is based on the LLVM framework and is specifically designed to detect memory management issues. It is currently under active development and not yet publicly available, but we plan to open-source it after our research is published. The bug was originally detected on v6.13-rc1 using our static analysis tool, and we have verified that the issue persists in the latest mainline kernel. We performed build testing on x86_64 with allyesconfig using GCC=11.4.0. Since triggering these error paths in xhci_disable_slot() requires specific hardware conditions or abnormal state, we were unable to construct a test case to reliably trigger these specific error paths at runtime.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于xhci驱动在xhci_disable_slot()错误处理路径中仅使用kfree()释放命令结构,导致完成结构泄漏。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux fee8be5bde562d4f5f9a100ca80c6d7072ed34c8 ~ 1e800e26d54ccf2ddf2ea6d6cbe021c804d8aa62 -
LinuxLinux 5.16 -

II. Public POCs for CVE-2026-43432

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-43432

登录查看更多情报信息。
Patch · 8

Same Patch Batch · Linux · 2026-05-08 · 199 CVEs total

CVE-2026-433769.8 CRITICALksmbd: fix use-after-free by using call_rcu() for oplock_info
CVE-2026-434149.8 CRITICALscsi: qla2xxx: Completely fix fcport double free
CVE-2026-433419.8 CRITICALnet/ipv6: ioam6: prevent schema length wraparound in trace fill
CVE-2026-433049.8 CRITICALlibceph: define and enforce CEPH_MAX_KEY_LEN
CVE-2026-434029.8 CRITICALkthread: consolidate kthread exit paths to prevent use-after-free
CVE-2026-433799.8 CRITICALksmbd: fix use-after-free in smb_lazy_parent_lease_break_close()
CVE-2026-434659.8 CRITICALnet/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ
CVE-2026-433849.8 CRITICALnet/tcp-ao: Fix MAC comparison to be constant-time
CVE-2026-433839.4 CRITICALnet/tcp-md5: Fix MAC comparison to be constant-time
CVE-2026-434079.1 CRITICALlibceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()
CVE-2026-434069.1 CRITICALlibceph: prevent potential out-of-bounds reads in process_message_header()
CVE-2026-432848.8 HIGHxfrm: esp: avoid in-place decrypt on shared skb frags
CVE-2026-433348.8 HIGHBluetooth: SMP: force responder MITM requirements before building the pairing response
CVE-2026-434038.8 HIGHnsfs: tighten permission checks for ns iteration ioctls
CVE-2026-433228.8 HIGHBluetooth: hci_sync: Fix UAF in le_read_features_complete
CVE-2026-433918.8 HIGHnsfs: tighten permission checks for handle opening
CVE-2026-432918.3 HIGHnet: nfc: nci: Fix parameter validation for packet data
CVE-2026-434668.2 HIGHnet/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery
CVE-2026-434528.2 HIGHnetfilter: x_tables: guard option walkers against 1-byte tail reads
CVE-2026-433658.2 HIGHxfs: fix undersized l_iclog_roundoff values

Showing top 20 of 199 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2026-43432

No comments yet

Leave a comment