What is CVE-2026-43327?

CVE-2026-43327 is a Medium severity Linux kernel vulnerability with a CVSS score of 5.5 out of 10, classified as a Improper Locking flaw (CWE-667), affecting Linux kernel versions from 3.2.97 onward and patched in 5.10.253, 5.15.203, 6.1.168 and others. CVE-2026-43327 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2026-43327?

CVE-2026-43327 has a CVSS score of 5.5 out of 10, rated Medium severity. The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.

Is there a patch available for CVE-2026-43327?

Yes, CVE-2026-43327 has been patched. Fixed versions include 5.10.253, 5.15.203, 6.1.168 and others. If you are running Linux kernel 3.2.97 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2026-43327 actively exploited?

CVE-2026-43327 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is Improper Locking (CWE-667)?

The product does not properly acquire or release a lock, which can lead to unexpected behaviour. See MITRE CWE for full details: https://cwe.mitre.org/data/definitions/667.html

CVE-2026-43327

Medium

In the Linux kernel, the following vulnerability has been resolved: USB: dummy-hcd: Fix locking/synchronization error Syzbot testing was able to provoke an addressing exception and crash in the usb_gadget_udc_reset() routine in drivers/usb/gadgets/udc/core.c, resulting from the fact that the routine was called with a second ("driver") argument of NULL. The bad caller was set_link_state() in dummy_hcd.c, and the problem arose because of a race between a USB reset and driver unbind. These sorts of races were not supposed to be possible; commit 7dbd8f4cabd9 ("USB: dummy-hcd: Fix erroneous synchronization change"), along with a few followup commits, was written specifically to prevent them. As it turns out, there are (at least) two errors remaining in the code. Another patch will address the second error; this one is concerned with the first. The error responsible for the syzbot crash occurred because the stop_activity() routine will sometimes drop and then re-acquire the dum->lock spinlock. A call to stop_activity() occurs in set_link_state() when handling an emulated USB reset, after the test of dum->ints_enabled and before the increment of dum->callback_usage. This allowed another thread (doing a driver unbind) to sneak in and grab the spinlock, and then clear dum->ints_enabled and dum->driver. Normally this other thread would have to wait for dum->callback_usage to go down to 0 before it would clear dum->driver, but in this case it didn't have to wait since dum->callback_usage had not yet been incremented. The fix is to increment dum->callback_usage _before_ calling stop_activity() instead of after. Then the thread doing the unbind will not clear dum->driver until after the call to usb_gadget_udc_reset() safely returns and dum->callback_usage has been decremented again.

Package Linux Kernel

Published 2026-05-08

Last modified 2026-05-15

CVSS version 3.1

Patch available

Yes

CVSS 3.1 score

5.5

out of 10

Medium

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

High

Vector string

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Weakness type

CWE-667

CVE-2026-43327 is a Improper Locking vulnerability

What is Improper Locking?

The product does not properly acquire or release a lock, which can lead to unexpected behaviour. Learn more on MITRE CWE

Affected versions

Linux kernel versions 3.2.97, 3.16.52, 4.1.46, 4.4.92, 4.9.55, 4.13.6, 4.14 and later are affected. Fixed in 5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0 and their respective stable series.

Affected from

≥ 3.2.97 ≥ 3.16.52 ≥ 4.1.46 ≥ 4.4.92 ≥ 4.9.55 ≥ 4.13.6 ≥ 4.14

Fixed in

✓ 5.10.253 5.10.x ✓ 5.15.203 5.15.x ✓ 6.1.168 6.1.x ✓ 6.6.134 6.6.x ✓ 6.12.81 6.12.x ✓ 6.18.22 6.18.x ✓ 6.19.12 6.19.x ✓ 7.0

References

The following references provide additional information about CVE-2026-43327 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/218886b2ef2dea7627d3700ab0abaf4bf9d1161f
Patch
Kernel patch commit
https://git.kernel.org/stable/c/616a63ff495df12863692ab3f9f7b84e3fa7a66d
Patch
Kernel patch commit
https://git.kernel.org/stable/c/6350c7dd33ab481ef41c931a238361490c32d15c
Patch

8 patch commits total View all on NVD

Details

CVE ID CVE-2026-43327

Severity Medium

CVSS score 5.5 / 10

CVSS version 3.1

Published 2026-05-08

Modified 2026-05-15

KEV No

Patch

Yes

Package linux

Frequently asked questions

What is CVE-2026-43327?

CVE-2026-43327 is a Medium severity Linux kernel vulnerability with a CVSS score of 5.5 out of 10 , classified as an Improper Locking flaw (CWE-667) . It affects Linux kernel versions from 3.2.97 onward and has been patched in 5.10.253, 5.15.203, 6.1.168 and others. CVE-2026-43327 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
What is the CVSS score for CVE-2026-43327?

CVE-2026-43327 has a CVSS score of 5.5 out of 10, rated Medium severity (CVSS 3.1). The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.
Is there a patch available for CVE-2026-43327?

Yes — CVE-2026-43327 has been patched. Fixed versions include 5.10.253, 5.15.203, 6.1.168 and others. If you are running Linux kernel 3.2.97 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2026-43327 actively exploited?

No — CVE-2026-43327 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
What is Improper Locking (CWE-667)?

The product does not properly acquire or release a lock, which can lead to unexpected behaviour. View CWE-667 on MITRE CWE →