Skip to main content

Linux Kernel EUVDEUVD-2026-28731

| CVE-2026-43425 MEDIUM
2026-05-08 Linux GHSA-mvvm-h9gx-gvqm
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 20, 2026 - 18:38 vuln.today
CVSS changed
May 20, 2026 - 18:37 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:21 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

usb: image: mdc800: kill download URB on timeout

mdc800_device_read() submits download_urb and waits for completion. If the timeout fires and the device has not responded, the function returns without killing the URB, leaving it active.

A subsequent read() resubmits the same URB while it is still in-flight, triggering the WARN in usb_submit_urb():

"URB submitted while active"

Check the return value of wait_event_timeout() and kill the URB if it indicates timeout, ensuring the URB is complete before its status is inspected or the URB is resubmitted.

Similar to

  • commit 372c93131998 ("USB: yurex: fix control-URB timeout handling")
  • commit b98d5000c505 ("media: rc: iguanair: handle timeouts")

AnalysisAI

Denial of service in the Linux kernel mdc800 USB imaging driver allows a local low-privileged user to crash the kernel by triggering a URB double-submission race condition. The mdc800_device_read() function submits a USB Request Block (URB) but fails to cancel it on timeout, leaving it active; a subsequent read() resubmits the same in-flight URB, triggering a kernel WARN in usb_submit_urb() that can destabilize the system. No public exploit exists and no active exploitation has been identified - EPSS is 0.02% (7th percentile), reflecting the hardware-specific, local-access-only nature of this flaw.

Technical ContextAI

The vulnerability is in the mdc800 USB driver (drivers/usb/image/mdc800.c), which handles Mustek MDC-800 series USB digital cameras. The mdc800_device_read() function submits a download_urb and blocks using wait_event_timeout(). The defect is that the return value of wait_event_timeout() is not evaluated: if it returns 0 (timeout elapsed with no completion), the function exits without calling usb_kill_urb() to cancel the pending transfer. When a subsequent read() call arrives, usb_submit_urb() is invoked on the same URB that is still in-flight, violating the USB core invariant and triggering the kernel safety warning 'URB submitted while active', which can cause a kernel oops or panic (Availability: High per CVSS). CVSS vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H confirms the impact is limited to local availability with no confidentiality or integrity consequences - the 'Information Disclosure' tag in the source data does not align with this vector and appears to be a misclassification. This class of bug is analogous to resolved issues in the yurex driver (commit 372c93131998) and iguanair driver (commit b98d5000c505). No CWE was formally assigned, but the root cause maps closely to CWE-404 (Improper Resource Shutdown or Release) and CWE-362 (Race Condition) on timeout paths.

RemediationAI

Upgrade to a patched kernel release for the active stable branch in use: 5.10.253+, 5.15.203+, 6.1.167+, 6.6.130+, 6.12.78+, 6.18.19+, 6.19.9+, or Linux 7.0+. Patch commits are published at https://git.kernel.org/stable/c/9fa5a49760979ba016506fe292a431c8b83f043e and the other branch-specific commits listed in the CVE references. For systems that do not use Mustek MDC-800 cameras, the most effective compensating control is to blocklist the mdc800 module by adding 'blacklist mdc800' to /etc/modprobe.d/blacklist.conf and running 'dracut -f' or equivalent to rebuild the initramfs - this eliminates the attack surface entirely with no functional impact on systems without this camera hardware. On systems where the camera is in use, restrict device node access permissions to prevent untrusted local users from triggering read() calls on the device. NVD advisory available at https://nvd.nist.gov/vuln/detail/CVE-2026-43425.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-28731 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy