Skip to main content

Linux Kernel CVE-2026-43428

| EUVDEUVD-2026-28734 MEDIUM
2026-05-08 Linux GHSA-xwm3-969p-pfmw
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 20, 2026 - 18:39 vuln.today
CVSS changed
May 20, 2026 - 18:37 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:22 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

USB: core: Limit the length of unkillable synchronous timeouts

The usb_control_msg(), usb_bulk_msg(), and usb_interrupt_msg() APIs in usbcore allow unlimited timeout durations. And since they use uninterruptible waits, this leaves open the possibility of hanging a task for an indefinitely long time, with no way to kill it short of unplugging the target device.

To prevent this sort of problem, enforce a maximum limit on the length of these unkillable timeouts. The limit chosen here, somewhat arbitrarily, is 60 seconds. On many systems (although not all) this is short enough to avoid triggering the kernel's hung-task detector.

In addition, clear up the ambiguity of negative timeout values by treating them the same as 0, i.e., using the maximum allowed timeout.

AnalysisAI

Unbounded uninterruptible USB synchronous timeout in the Linux kernel's usbcore subsystem allows a local low-privilege user to permanently hang a kernel task with no signal-based kill path. The usb_control_msg(), usb_bulk_msg(), and usb_interrupt_msg() APIs accept arbitrary timeout values and use TASK_UNINTERRUPTIBLE waits, meaning a task blocked on a misbehaving or absent USB device cannot be terminated by SIGKILL - only physical device removal can unblock it. CVSS 5.5 (AV:L/PR:L/A:H), EPSS at 0.02% (7th percentile), no KEV listing, and no public exploit code at time of analysis collectively indicate low active exploitation risk, though the denial-of-service primitive is straightforward once local access is established.

Technical ContextAI

The Linux kernel's USB core subsystem (usbcore) exposes three synchronous blocking APIs - usb_control_msg(), usb_bulk_msg(), and usb_interrupt_msg() - that perform USB transfers using TASK_UNINTERRUPTIBLE waits. Unlike TASK_INTERRUPTIBLE, uninterruptible waits cannot be woken by POSIX signals, including SIGKILL; only the wait condition or timeout expiry can release the task. Prior to the fix, these functions imposed no upper bound on the caller-supplied timeout parameter, and negative values had ambiguous behavior. On systems where the USB device stops responding or is deliberately slow, the calling task blocks forever. The fix enforces a 60-second maximum timeout ceiling and canonicalizes negative inputs to zero (which maps to the maximum), eliminating both the unbounded-wait and the negative-value ambiguity. CPE data (cpe:2.3:a:linux:linux) confirms this affects the mainline Linux kernel from its initial git commit (1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) across all stable branches up to their respective patch points. No CWE is assigned in NVD; the root cause conceptually aligns with improper resource-lifetime or missing timeout enforcement rather than a memory-safety issue.

RemediationAI

The primary fix is upgrading to a patched stable kernel release: 5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, or 7.0, depending on the branch deployed. Upstream stable-tree patch commits are available at https://git.kernel.org/stable/c/4e86f5b79e62ded7e3c3ebd688cf5775e618148a and sibling commits referenced in the CVE. For systems that cannot immediately apply the kernel update, compensating controls include restricting local user access to USB devices via udev rules (SUBSYSTEM'usb', ACTION'add', GROUP='plugdev', MODE='0660') or cgroup v2 device access controls - this limits which users can interact with USB device nodes, reducing the set of users who can invoke the relevant kernel paths, though it may disrupt legitimate USB use. Disabling USB support entirely (CONFIG_USB=n at build time or via kernel module blacklisting of usb-storage and related modules) eliminates the attack surface but is impractical outside headless or embedded environments. No negative side effects from the kernel fix itself are anticipated, as the 60-second cap is described as sufficient to avoid the hung-task detector on most systems.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43428 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy