CVE-2026-43432

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: xhci: Fix memory leak in xhci_disable_slot()<br /> <br /> xhci_alloc_command() allocates a command structure and, when the<br /> second argument is true, also allocates a completion structure.<br /> Currently, the error handling path in xhci_disable_slot() only frees<br /> the command structure using kfree(), causing the completion structure<br /> to leak.<br /> <br /> Use xhci_free_command() instead of kfree(). xhci_free_command() correctly<br /> frees both the command structure and the associated completion structure.<br /> Since the command structure is allocated with zero-initialization,<br /> command-&gt;in_ctx is NULL and will not be erroneously freed by<br /> xhci_free_command().<br /> <br /> This bug was found using an experimental static analysis tool we are<br /> developing. The tool is based on the LLVM framework and is specifically<br /> designed to detect memory management issues. It is currently under<br /> active development and not yet publicly available, but we plan to<br /> open-source it after our research is published.<br /> <br /> The bug was originally detected on v6.13-rc1 using our static analysis<br /> tool, and we have verified that the issue persists in the latest mainline<br /> kernel.<br /> <br /> We performed build testing on x86_64 with allyesconfig using GCC=11.4.0.<br /> Since triggering these error paths in xhci_disable_slot() requires specific<br /> hardware conditions or abnormal state, we were unable to construct a test<br /> case to reliably trigger these specific error paths at runtime.