Skip to main content

Linux Kernel CVE-2026-43429

| EUVDEUVD-2026-28735 MEDIUM
2026-05-08 Linux GHSA-f7gv-jp52-6999
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 20, 2026 - 18:39 vuln.today
CVSS changed
May 20, 2026 - 18:37 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:22 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

USB: usbtmc: Use usb_bulk_msg_killable() with user-specified timeouts

The usbtmc driver accepts timeout values specified by the user in an ioctl command, and uses these timeouts for some usb_bulk_msg() calls. Since the user can specify arbitrarily long timeouts and usb_bulk_msg() uses unkillable waits, call usb_bulk_msg_killable() instead to avoid the possibility of the user hanging a kernel thread indefinitely.

AnalysisAI

Indefinite kernel thread hang in the Linux kernel usbtmc (USB Test and Measurement Class) driver allows a local authenticated user to cause a denial of service by supplying an arbitrarily large timeout value via ioctl. The driver previously passed user-controlled timeout values directly to usb_bulk_msg(), which uses unkillable waits, meaning the kernel thread could never be interrupted or killed once blocked. No public exploit or active exploitation has been identified at time of analysis, and EPSS probability is negligible at 0.02%, but the straightforward local trigger path makes this a meaningful availability risk on systems with USBTMC devices.

Technical ContextAI

The usbtmc driver implements the USB Test and Measurement Class protocol, used to communicate with laboratory and measurement instruments over USB. The driver exposes ioctl commands that allow user-space processes to configure and execute bulk USB transfers, including specifying timeout durations. Internally, these transfers were dispatched via usb_bulk_msg(), a kernel API that blocks the calling thread until completion or timeout - crucially, using an uninterruptible wait state (TASK_UNINTERRUPTIBLE). This means that if a user provides an extremely large timeout (e.g., INT_MAX milliseconds), the kernel thread is rendered unkillable for that duration, consuming a kernel execution context indefinitely. The fix replaces usb_bulk_msg() with usb_bulk_msg_killable(), which uses an interruptible wait (TASK_KILLABLE), allowing the kernel to respond to fatal signals. The affected CPE is cpe:2.3:a:linux:linux across a wide range of kernel versions. No CWE was assigned by the reporter, but the root cause class is most consistent with CWE-400 (Uncontrolled Resource Consumption) and CWE-835 (Loop with Unreachable Exit Condition) in an uninterruptible sleep context. The 'Information Disclosure' tag in the ENISA EUVD record appears to be a tagging error - CVSS confirms C:N/I:N/A:H, a pure availability impact with no confidentiality or integrity component.

RemediationAI

The primary fix is to upgrade to a patched kernel version: 5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, or 7.0, depending on the branch in use. Patch commits are available at https://git.kernel.org/stable/c/72c0a063489be183cfb99e7050aaef503bdb6449 (6.6 branch), https://git.kernel.org/stable/c/7fa72c369c23c27d1f64883c1e276af950557fb1 (6.1 branch), and corresponding commits for other branches linked in the CVE references. If immediate patching is not feasible, a compensating control is to restrict access to the usbtmc device node (typically /dev/usbtmc*) to only trusted users or root via udev rules or file permissions - this prevents unprivileged local users from issuing the problematic ioctl. A further option is to blacklist or unload the usbtmc kernel module (modprobe -r usbtmc; echo 'blacklist usbtmc' >> /etc/modprobe.d/blacklist.conf) on systems where USB measurement instruments are not required; note this will prevent legitimate USBTMC device use. Downstream distribution advisories from Debian, Ubuntu, Red Hat, and SUSE should be monitored for backported packages.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43429 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy