Linux Kernel Vulnerability in xHCI Controller Affecting Android Devices
CVE-2026-43488
What is CVE-2026-43488?
A significant vulnerability in the Linux kernel's xHCI controller has been identified, particularly affecting Android devices during UAS storage plug/unplug scenarios. This vulnerability manifests when the xHCI controller reports a Host Controller Error (HCE), which, if unaddressed, can lead to an interrupt storm. The xHCI driver presently logs a warning but fails to halt the interrupt process, resulting in persistent activity that deteriorates system performance. To resolve this, enhancements to the interrupt handling mechanism are required, specifically by implementing the xhci_halt() function within the xhci_irq() to properly manage HCE instances, thus preventing systemic faults. Nevertheless, a comprehensive recovery protocol demands a complete reset and re-initialization of the xHCI controller.
Affected Version(s)
Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 6f91f3f087194c114d6d8ea4591b850bb00672f8
Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2