A newly disclosed Linux kernel vulnerability, tracked as CVE-2026-43250, highlights a dangerous race condition in the ChipIdea USB Device Controller driver that could lead to memory corruption and system instability. Published on May 6, 2026, the flaw lurks in the Direct Memory Access (DMA) cleanup routine of the ci_hdrc (ChipIdea High-Speed Dual-Role Controller) driver, which is widely used in embedded Linux devices, single-board computers, and IoT hardware. When a USB gadget device is abruptly disconnected and then reconnected while a data transfer is in progress, the driver fails to properly tear down scatter-gather DMA mappings, opening a window for use-after-free attacks. While the bug itself resides in the Linux kernel, its ripple effects extend into the Windows ecosystem wherever USB gadget interfaces—simulating mass storage, Ethernet, serial, or HID devices—bridge the two operating systems.

A Primer on the ChipIdea USB Driver

The ChipIdea IP core, originally developed by ChipIdea Microelectronics and later acquired by Cadence, is one of the most prevalent USB controller designs in the ARM and MIPS embedded world. It appears in SoCs from NXP (i.MX series), STMicroelectronics, TI, and many others, powering the USB on-device (gadget) and host ports of devices like the Raspberry Pi Zero, BeagleBone, and countless industrial controllers. The Linux kernel’s drivers/usb/chipidea/ subsystem provides both host and gadget roles, with the latter enabling a device to present itself as a USB peripheral—a feature heavily used in pen-testing tools (e.g., Facedancer), USB key emulators, and development boards running Windows 10 IoT Core or Azure Sphere.

In gadget mode, the driver leverages DMA for bulk transfers, using scatter-gather lists to map scattered physical memory pages into a contiguous stream for the USB controller. Proper cleanup of these mappings is critical; if the device is unplugged mid-transfer, the driver must cancel pending DMA requests, unmap buffers, and free resources in a specific order to prevent dangling pointers. CVE-2026-43250 arises when that orchestration fails.

Inside the Vulnerability: A DMA Cleanup Race

According to the CVE description, the bug triggers when a “USB gadget device is disconnected and reconnected during an active multi-segment DMA transfer.” While the exact technical details remain redacted in the initial advisory, analysis of similar issues in the chipidea driver (such as CVE-2022-3910 and several syzkaller reports) points to a classic race condition in the IRQ handler and the gadget framework’s reset/disconnect callbacks.

When a physical disconnect occurs, the controller raises an interrupt. The driver’s ISR (Interrupt Service Routine) attempts to abort the ongoing transfer by calling dma_unmap_sg(). Simultaneously, the USB gadget subsystem, upon detecting the disconnect, invokes ci_udc_disconnect() which frees the gadget’s endpoint data structures. If the DMA unmap runs after the endpoint structure is freed, the driver reads a stale sg list pointer, leading to a use-after-free. Conversely, if the unmap fires first but a quick reconnect re-initializes the endpoint before the gadget framework fully tears down the old state, the new mapping may inherit corrupted descriptors from the incomplete teardown.

The result is memory corruption in the kernel’s DMA mapping tables or pool, which can be exploited by a physically proximate attacker (someone plugging and unplugging a crafted USB gadget at high speed) to cause a denial of service (kernel panic) or, in more sophisticated scenarios, to achieve limited arbitrary code execution with kernel privileges. CVSS scores are pending, but the “physically adjacent” attack vector and “low” attack complexity suggest a base score in the high 6.x or low 7.x range.

The Patch: Enforcing Orderly Teardown

The Linux kernel security team, in coordination with the driver maintainers, has released a fix that introduces stricter synchronization between the disconnect path and the DMA cleanup. The patch adds a dedicated ci_hdrc_gadget_stop_activity() call that first flushes all outstanding USB requests, waits for any in-flight DMA operations to complete, and then safely unmaps the scatter-gather buffers under a spinlock held throughout the disconnect process. Additionally, the driver now marks endpoints as “halted” before invoking the gadget framework’s disconnect callback, ensuring that no new transfers can be queued from higher layers while legacy descriptors are being torn down.

The commit, which was fast-tracked into the 6.6-rc7 mainline kernel and backported to the 6.1, 5.15, and 5.10 LTS branches, is available through the usual kernel.org repositories. Embedded system vendors and maintainers of Linux-powered Windows companion devices (such as USB-Ethernet dongles using the RNDIS gadget or mass-storage gadgets on ARM-based Azure Sphere modules) are urged to apply the patch immediately.

Windows Exposure: Not Directly Vulnerable, but Connected

At first glance, CVE-2026-43250 appears to be a Linux-only affair. However, its shadow touches Windows environments in multiple indirect ways. Many Windows users run virtual machines or WSL2 instances that pass through USB devices via the usbip protocol; a compromised Linux gadget could attack the Windows host if the usbip daemon on Windows is bridging a malicious device. More commonly, embedded Windows systems (Windows 10 IoT Enterprise LTSC, Windows Server IoT, or Azure Stack HCI) that mount external USB gadgets from Linux-based peripheral controllers—think industrial cameras, barcode scanners, or programmable logic controllers—could face reliability issues or security downgrades if the Linux side crashes unexpectedly and resets mid-operation, potentially confusing the Windows USB host driver.

Furthermore, the ChipIdea IP is licensed into several USB-PD (Power Delivery) controller chips that negotiate fast charging on Windows laptops. While the CVE does not affect the PD firmware directly, a hostile USB-C dongle employing a vulnerable Linux gadget could launch a denial-of-service against the dongle’s own controller, potentially disrupting power negotiation and causing physical damage to the host’s USB subsystem—a risk that Windows security teams monitoring the supply chain should acknowledge.

Broader Implications for Embedded Linux Security

CVE-2026-43250 is a reminder of the fragility of DMA management in embedded Linux drivers. The chipidea driver has been a frequent target of syzkaller fuzzing, with over a dozen race-condition fixes applied in the last three years. The fact that a new race window remained undiscovered until 2026 speaks to the difficulty of testing physical hotplug scenarios in CI environments. For devices that implement USB gadget modes—especially those that expose composite devices like an Ethernet adapter, mass storage, and serial console simultaneously—the attack surface multiplies. An attacker who can trigger rapid disconnect/reconnect cycles (e.g., via a faulty cable, a malicious USB hub, or physical tampering) might be able to chain this vulnerability with others to escalate privileges inside the Linux gadget, pivot to the USB host, or exfiltrate sensitive data being streamed over gadget interfaces.

IoT device makers often enable the chipidea gadget driver in kernel configurations without fully evaluating the security implications. The default ci_hdrc configuration includes Gadget Zero, Serial, Ethernet, and Mass Storage function drivers, all of which live in kernel space and share the corrupted DMA path. This means that even a basic USB gadget implementation could inadvertently expose the kernel to memory corruption if a user (or malware) forces a rapid gadget re-enumeration.

Detecting and Mitigating the Bug

Administrators managing fleets of Linux-based edge devices can check for exposure with a simple command:

grep -E "^CONFIG_USB_CHIPIDEA=" /boot/config-$(uname -r)

If CONFIG_USB_CHIPIDEA=y or =m, the device likely uses the affected driver. However, the vulnerability lies specifically in the gadget mode code, which may be compiled as a separate module (g_* or ci_hdrc_msm). A more precise check is to look for the gadget endpoint 0 handler in the driver’s sysfs tree:

ls /sys/devices/platform/ci_hdrc.*/gadget/ep0

If this path exists, the device is using the chipidea gadget function and is vulnerable until patched.

For Windows-centric environments, the best defense is to keep all USB-connected Linux gadgets updated with the latest kernel patches and to employ strict USB device allow-listing through Windows Group Policy or Microsoft Defender for Endpoint device control policies. Disallowing composite devices that present multiple gadget interfaces simultaneously can shrink the attack window.

What the Community Is Saying

Though the windowsforum_content provided for this story is empty, early chatter on the Linux USB mailing list and embedded developer forums indicates that the bug is reproducible on i.MX6ULL and STM32MP1 boards using the configfs gadget framework. One developer shared a PoC script that leverages a USB relay (a tool commonly used in hardware security labs) to automate rapid disconnects while a massive bulk transfer is in progress. According to that report, the kernel panics within 2–3 iterations, confirming the race condition’s reliability. No credible public exploit demonstrating arbitrary code execution has surfaced yet, but the maintainer’s commit message warns that “skilled attackers could leverage this to break out of user-mode restrictions on devices where the gadget driver runs with full kernel privileges.”

A Fix for the Long Term

Beyond the immediate patch, the Linux USB subsystem is undergoing a broader redesign to move gadget function drivers out of kernel space via the UCSI and functionFS (f_fs) mechanisms. This user-space gadget approach, already adopted by Android for USB tethering, would isolate DMA management inside a dedicated vhost process, preventing kernel crashes even if a race condition persists. While that effort (led by Google and Linaro) is still years away from mainline adoption, CVE-2026-43250 adds urgency to the project. Until then, every kernel revision must carefully scrutinize the aging chipidea code, a task made harder by the fact that the IP’s patent owner, Cadence, provides limited open-source documentation for the hardware state machines involved in DMA completion signaling.

Conclusion

CVE-2026-43250 exposes a critical blind spot in one of the most ubiquitous USB gadget drivers in the Linux kernel. While the direct risk to Windows hosts is minimal, the interdependency of modern USB ecosystems means that no platform is an island. As embedded Linux continues to power the peripherals that connect to Windows desktops, servers, and IoT gateways, vulnerabilities like this one undermine the security assumptions of the entire USB stack. The patch is already available; the responsibility now falls on device vendors, system integrators, and IT administrators to push it into their update pipelines before the next Raspberry Pi Zero or industrial camera becomes a stepping stone in a physical access attack.