What is CVE-2026-43488?

CVE-2026-43488 is a unscored severity Linux kernel vulnerability, affecting Linux kernel versions from 6.2 onward and patched in 6.6.130, 6.12.78, 6.18.19 and others. CVE-2026-43488 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2026-43488?

CVE-2026-43488 has a CVSS score of pending NVD analysis out of 10, rated awaiting scoring severity.

Is there a patch available for CVE-2026-43488?

Yes, CVE-2026-43488 has been patched. Fixed versions include 6.6.130, 6.12.78, 6.18.19 and others. If you are running Linux kernel 6.2 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2026-43488 actively exploited?

CVE-2026-43488 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2026-43488

In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Prevent interrupt storm on host controller error (HCE) The xHCI controller reports a Host Controller Error (HCE) in UAS Storage Device plug/unplug scenarios on Android devices. HCE is checked in xhci_irq() function and causes an interrupt storm (since the interrupt isn’t cleared), leading to severe system-level faults. When the xHC controller reports HCE in the interrupt handler, the driver only logs a warning and assumes xHC activity will stop as stated in xHCI specification. An interrupt storm does however continue on some hosts even after HCE, and only ceases after manually disabling xHC interrupt and stopping the controller by calling xhci_halt(). Add xhci_halt() to xhci_irq() function where STS_HCE status is checked, mirroring the existing error handling pattern used for STS_FATAL errors. This only fixes the interrupt storm. Proper HCE recovery requires resetting and re-initializing the xHC.

Package Linux Kernel

Published 2026-05-13

Last modified 2026-05-22

Patch available

Yes

Affected versions

Linux kernel versions 6.2 and later are affected. Fixed in 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0 and their respective stable series.

Affected from

≥ 6.2

Fixed in

✓ 6.6.130 6.6.x ✓ 6.12.78 6.12.x ✓ 6.18.19 6.18.x ✓ 6.19.9 6.19.x ✓ 7.0

References

The following references provide additional information about CVE-2026-43488 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/09ff0099c6cf148ff1f7053b5b6c84beb1c2ef8d
Patch
Kernel patch commit
https://git.kernel.org/stable/c/6f91f3f087194c114d6d8ea4591b850bb00672f8
Patch
Kernel patch commit
https://git.kernel.org/stable/c/b2dd9abf8c06cfcbcf242321fd54ae51a4807705
Patch

5 patch commits total View all on NVD

Frequently asked questions

What is CVE-2026-43488?

CVE-2026-43488 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 6.2 onward and has been patched in 6.6.130, 6.12.78, 6.18.19 and others. CVE-2026-43488 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
Is there a patch available for CVE-2026-43488?

Yes — CVE-2026-43488 has been patched. Fixed versions include 6.6.130, 6.12.78, 6.18.19 and others. If you are running Linux kernel 6.2 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2026-43488 actively exploited?

No — CVE-2026-43488 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.