Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Prevent interrupt storm on host controller error (HCE) The xHCI controller reports a Host Controller Error (HCE) in UAS Storage Device plug/unplug scenarios on Android devices. HCE is checked in xhci_irq() function and causes an interrupt storm (since the interrupt isn’t cleared), leading to severe system-level faults. When the xHC controller reports HCE in the interrupt handler, the driver only logs a warning and assumes xHC activity will stop as stated in xHCI specification. An interrupt storm does however continue on some hosts even after HCE, and only ceases after manually disabling xHC interrupt and stopping the controller by calling xhci_halt(). Add xhci_halt() to xhci_irq() function where STS_HCE status is checked, mirroring the existing error handling pattern used for STS_FATAL errors. This only fixes the interrupt storm. Proper HCE recovery requires resetting and re-initializing the xHC.
References
- https://git.kernel.org/stable/c/09ff0099c6cf148ff1f7053b5b6c84beb1c2ef8d
- https://git.kernel.org/stable/c/6f91f3f087194c114d6d8ea4591b850bb00672f8
- https://git.kernel.org/stable/c/b2dd9abf8c06cfcbcf242321fd54ae51a4807705
- https://git.kernel.org/stable/c/cd41e0d1df8fcf5eae294657da52b50d1ce03246
- https://git.kernel.org/stable/c/d6d5febd12452b7fd951fdd15c3ec262f01901a4
FAQ
What is CVE-2026-43488?
CVE-2026-43488 is a documented vulnerability. In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Prevent interrupt storm on host controller error (HCE) The xHCI controller reports a Host Controller Error (HCE) in UAS...
How severe is CVE-2026-43488?
CVSS scoring is not yet available for CVE-2026-43488. Check NVD for updates.
Is there a patch for CVE-2026-43488?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.