Skip to main content

Linux EUVDEUVD-2026-18692

| CVE-2026-23446 MEDIUM
2026-04-03 Linux GHSA-mqjm-rhm6-4854
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
Apr 23, 2026 - 21:11 NVD
5.5 (MEDIUM)
Patch available
Apr 16, 2026 - 05:29 EUVD
4de6a43e8ecf961feabddf0e9d6911081d2ed218,3267bcb744ee8a2feabaa7ab69473f086f67fd71,069c8f5aebe4d5224cf62acc7d4b3486091c658a
EUVD ID Assigned
Apr 03, 2026 - 15:30 euvd
EUVD-2026-18692
Analysis Generated
Apr 03, 2026 - 15:30 vuln.today
CVE Published
Apr 03, 2026 - 15:15 nvd
N/A

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

net: usb: aqc111: Do not perform PM inside suspend callback

syzbot reports "task hung in rpm_resume"

This is caused by aqc111_suspend calling the PM variant of its write_cmd routine.

The simplified call trace looks like this:

rpm_suspend() usb_suspend_both() - here udev->dev.power.runtime_status == RPM_SUSPENDING aqc111_suspend() - called for the usb device interface aqc111_write32_cmd() usb_autopm_get_interface() pm_runtime_resume_and_get() rpm_resume() - here we call rpm_resume() on our parent rpm_resume() - Here we wait for a status change that will never happen.

At this point we block another task which holds rtnl_lock and locks up the whole networking stack.

Fix this by replacing the write_cmd calls with their _nopm variants

AnalysisAI

Linux kernel aqc111 USB driver deadlock in power management allows local denial of service via task hang during runtime suspend. The vulnerability occurs when aqc111_suspend() calls power-managed write operations during device suspension, triggering nested runtime PM calls that deadlock waiting for a state change that never occurs. This blocks the rtnl_lock and freezes the entire networking stack. Affected systems running vulnerable kernel versions with USB AQC111 network adapters are susceptible to local DoS that requires no authentication or user interaction beyond normal device suspension. No public exploit code identified; fix requires kernel upgrade or manual patch application.

Technical ContextAI

The aqc111 driver manages Aquantia USB network adapters within the Linux kernel's USB subsystem. The vulnerability stems from improper power management (PM) sequencing during the suspend callback. When usb_suspend_both() invokes the driver's suspend handler while the USB device's power.runtime_status is RPM_SUSPENDING, the driver incorrectly calls aqc111_write32_cmd(), which internally invokes usb_autopm_get_interface() to acquire PM rights. This function calls pm_runtime_resume_and_get() on the parent device, triggering rpm_resume() recursively. The second rpm_resume() call attempts to wait for the parent device's status to change from RPM_SUSPENDING, but since the parent is already suspended and the child holds rtnl_lock, the wait never completes-creating a classic deadlock. The CWE root cause is improper locking/synchronization during nested power management state transitions (CWE-667: Improper Locking). The fix replaces PM-aware write commands with non-PM variants (_nopm suffix) that do not attempt to acquire additional power references during suspend.

RemediationAI

Upgrade Linux kernel to a patched version incorporating one of the stable commits (621f2f43741b51f62d767eb4752fbcefe2526926, 4de6a43e8ecf961feabddf0e9d6911081d2ed218, 3267bcb744ee8a2feabaa7ab69473f086f67fd31, d3e32a612c6391ca9b7c183aeec22b4fd24c300c, 98e8aed64614b0c199d5f0391fbe1a4331cb5773, or 069c8f5aebe4d5224cf62acc7d4b3486091c658a). These patches are available in stable kernel branches via https://git.kernel.org/stable/. Linux distributions should backport or release updated kernels through their standard patch channels (kernel security updates). If immediate upgrade is not possible, disable runtime power management for USB devices (via kernel parameters or sysfs) as a temporary workaround, though this reduces power efficiency. Systems with aqc111 adapters should prioritize kernel updates to restore normal suspend functionality and prevent networking stack deadlocks.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-18692 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy