Skip to main content

Linux Kernel CVE-2026-43170

| EUVDEUVD-2026-27731 MEDIUM
2026-05-06 Linux GHSA-x976-429q-rjpm
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 13, 2026 - 15:59 vuln.today
CVSS changed
May 13, 2026 - 15:52 NVD
5.5 (MEDIUM)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:27 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

usb: dwc3: gadget: Move vbus draw to workqueue context

Currently dwc3_gadget_vbus_draw() can be called from atomic context, which in turn invokes power-supply-core APIs. And some these PMIC APIs have operations that may sleep, leading to kernel panic.

Fix this by moving the vbus_draw into a workqueue context.

AnalysisAI

Kernel panic occurs in Linux kernel USB gadget driver (dwc3) when vbus_draw function executes PMIC power-supply APIs from atomic context, causing sleep operations in non-sleepable context. The vulnerability affects Linux kernel versions prior to 5.13 and various stable series (6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0) and is resolved by deferring vbus_draw operations to workqueue context. Local authenticated users with privilege level PR:L can trigger denial of service by invoking affected USB gadget functionality, with EPSS exploitation probability at 0.02% percentile indicating extremely low practical risk despite moderate CVSS severity.

Technical ContextAI

The vulnerability exists in the USB Device Controller 3 (dwc3) gadget driver subsystem, specifically in the dwc3_gadget_vbus_draw() function which interfaces with the power-supply-core (psy) subsystem. The dwc3 driver manages USB Device Controller 3 hardware and implements USB gadget functionality. The root cause is a context mismatch: dwc3_gadget_vbus_draw() can be invoked from atomic/interrupt context (where sleeping is forbidden by kernel rules), but it directly calls power-supply-core APIs that may perform operations requiring sleep (such as I2C or PMIC register access). This violates kernel scheduling constraints (CWE-667: Improper Synchronization). The fix involves moving the vbus_draw operation into a deferred workqueue context where sleeping is permissible. The CPE string (cpe:2.3:a:linux:linux) indicates vulnerability across all Linux kernel distributions and versions, with the affected commit range identifiable through the specific git commits referenced.

RemediationAI

Update Linux kernel to patched versions: 6.6.128 or later, 6.12.75 or later, 6.18.16 or later, 6.19.6 or later, or 7.0 and later. Distributions should apply the upstream fix commits referenced in kernel.org stable branches corresponding to their supported kernel versions. Interim workarounds for systems unable to immediately patch include: disabling USB gadget functionality at compile time (CONFIG_USB_GADGET=n) if not required-note this removes USB device mode entirely, affecting systems relying on USB-C gadget, Android adb, or USB mass storage modes; restricting local user access to USB gadget interfaces via SELinux or AppArmor policies to limit PR:L attack surface; or isolating gadget-dependent services to containers with reduced privilege. Complete mitigation requires kernel upgrade. Patch commits are available at git.kernel.org/stable for each stable branch (links provided in references).

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43170 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy