HOMEVULNERABILITIESCVE-2026-43488
NONE

CVE-2026-43488

Published: May 13, 2026· Updated: May 13, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:4.9th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

usb: xhci: Prevent interrupt storm on host controller error (HCE)

The xHCI controller reports a Host Controller Error (HCE) in UAS Storage

Device plug/unplug scenarios on Android devices. HCE is checked in

xhci_irq() function and causes an interrupt storm (since the interrupt

isn’t cleared), leading to severe system-level faults.

When the xHC controller reports HCE in the interrupt handler, the driver

only logs a warning and assumes xHC activity will stop as stated in xHCI

specification. An interrupt storm does however continue on some hosts

even after HCE, and only ceases after manually disabling xHC interrupt

and stopping the controller by calling xhci_halt().

Add xhci_halt() to xhci_irq() function where STS_HCE status is checked,

mirroring the existing error handling pattern used for STS_FATAL errors.

This only fixes the interrupt storm. Proper HCE recovery requires resetting

and re-initializing the xHC.

NVD Source

Technical Analysis

CVE-2026-43488 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (5)

Quick Facts

CVE IDCVE-2026-43488
SeverityNONE
CISA KEVNo
EPSS (30d)0.02%
PublishedMay 13, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-43488 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.