CVE-2026-43250

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description The ChipIdea UDC driver fails to properly unmap DMA buffers or clean up scatter-gather bounce buffers when the ep nuke() function is called during a USB device disconnection during an active transfer. This occurs because the num mapped sgs field and sgt.sgl pointer retain stale values. If the gadget driver reuses the request upon reconnection without reinitialization, the hardware enqueue() function may skip DMA mapping and use invalid DMA addresses, potentially leading to memory corruption and alignment errors.

Recommendations Update the Linux kernel to a version where the ep nuke() function includes calls to usb gadget unmap request by dev() when num mapped sgs is set and sglist do debounce() when a bounce buffer exists.