Skip to main content

Linux Kernel EUVDEUVD-2026-27740

| CVE-2026-43180 HIGH
2026-05-06 Linux GHSA-gq4c-7253-q3cg
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:34 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
7.8 (HIGH)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:27 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: usb: kaweth: remove TX queue manipulation in kaweth_set_rx_mode

kaweth_set_rx_mode(), the ndo_set_rx_mode callback, calls netif_stop_queue() and netif_wake_queue(). These are TX queue flow control functions unrelated to RX multicast configuration.

The premature netif_wake_queue() can re-enable TX while tx_urb is still in-flight, leading to a double usb_submit_urb() on the same URB:

kaweth_start_xmit() { netif_stop_queue(); usb_submit_urb(kaweth->tx_urb); }

kaweth_set_rx_mode() { netif_stop_queue(); netif_wake_queue(); // wakes TX queue before URB is done }

kaweth_start_xmit() { netif_stop_queue(); usb_submit_urb(kaweth->tx_urb); // URB submitted while active }

This triggers the WARN in usb_submit_urb():

"URB submitted while active"

This is a similar class of bug fixed in rtl8150 by

  • commit 958baf5eaee3 ("net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast").

Also kaweth_set_rx_mode() is already functionally broken, the real set_rx_mode action is performed by kaweth_async_set_rx_mode(), which in turn is not a no-op only at ndo_open() time.

AnalysisAI

Double URB submission in Linux kernel kaweth USB network driver allows local attackers with low privileges to trigger high severity impacts including potential denial of service, information disclosure, or code execution. The flaw occurs when kaweth_set_rx_mode() prematurely re-enables the TX queue via netif_wake_queue() before an in-flight USB transfer completes, enabling kaweth_start_xmit() to submit the same URB twice - a condition explicitly warned against by the USB subsystem. Patches are available across all supported kernel branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). Despite CVSS 7.8 High severity, EPSS score is only 0.02% (7th percentile), indicating low observed exploitation probability. No public exploit or CISA KEV listing identified at time of analysis.

Technical ContextAI

The kaweth driver manages Kawasaki LSI USB-to-Ethernet adapters in the Linux kernel's USB networking subsystem. The vulnerability stems from improper TX queue lifecycle management within the ndo_set_rx_mode callback (kaweth_set_rx_mode), which handles multicast filtering configuration. USB Request Blocks (URBs) are kernel data structures representing USB I/O operations - each URB can only be submitted once until its completion callback fires. The netif_stop_queue() and netif_wake_queue() functions control network stack transmission flow: stop prevents new TX packets from entering the driver, wake re-enables transmission. By calling netif_wake_queue() before the USB subsystem completes the in-flight tx_urb, the driver creates a race condition where kaweth_start_xmit() can be invoked again, attempting to re-submit an active URB. This violates USB core invariants enforced by usb_submit_urb() checks. The bug class mirrors CVE-2024-XXXXX in rtl8150 driver (commit 958baf5eaee3), where misplaced queue manipulation in set_multicast caused similar URB lifecycle violations. Affected CPE configurations span cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:* covering all kernel versions from 2.6.12 (commit 1da177e4c3f4) through 7.0-rc branches prior to patch commits.

RemediationAI

Apply vendor-released kernel patches appropriate to your distribution's kernel branch. Red Hat/CentOS users should update via yum/dnf update kernel to RHEL kernel builds incorporating upstream commits. Debian/Ubuntu users should apt update && apt upgrade to receive patched kernel packages in respective stable channels. SUSE/openSUSE users apply via zypper update kernel-default. For custom-compiled kernels, cherry-pick fix commits from kernel.org stable tree (commit 64868f5ecade for mainline, branch-specific commits listed in references). Reboot required to load patched kernel. Workaround for systems unable to immediately patch: Unload the kaweth module (modprobe -r kaweth) if the USB Ethernet adapter is not actively required - this eliminates attack surface but disables network functionality for that interface. Alternatively, restrict /dev/bus/usb device node permissions to prevent unprivileged users from triggering driver code paths, though this may break legitimate USB functionality and does not prevent exploitation by already-privileged local users (PR:L in CVSS). For embedded systems with kaweth hardware dependencies, consider USB device allowlisting via udev rules to block untrusted kaweth device attachment until patching, though this introduces operational complexity and may not prevent exploitation via legitimate devices. No upstream advisory URLs beyond kernel.org git commits; distributions publish advisories via their respective security channels (RHSA, DSA, SUSE Security Update, etc.).

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-27740 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy