Skip to main content

Linux Kernel EUVDEUVD-2026-28733

| CVE-2026-43427 HIGH
Out-of-bounds Read (CWE-125)
2026-05-08 Linux GHSA-jmm4-crvj-m7gx
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 20, 2026 - 18:37 vuln.today
CVSS changed
May 20, 2026 - 18:37 NVD
7.1 (HIGH)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:22 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

usb: class: cdc-wdm: fix reordering issue in read code path

Quoting the bug report:

Due to compiler optimization or CPU out-of-order execution, the desc->length update can be reordered before the memmove. If this happens, wdm_read() can see the new length and call copy_to_user() on uninitialized memory. This also violates LKMM data race rules [1].

Fix it by using WRITE_ONCE and memory barriers.

AnalysisAI

Out-of-bounds read in the Linux kernel's USB CDC-WDM (Communication Device Class - Wireless Device Management) driver allows a local low-privileged attacker to disclose uninitialized kernel memory and potentially crash the host through a memory-ordering race between desc->length updates and a memmove() in the read path. The flaw stems from compiler reordering or CPU out-of-order execution that can cause wdm_read() to observe an updated length before the corresponding data is fully copied, leading copy_to_user() to operate on uninitialized memory. EPSS is very low (0.02%, 7th percentile), there is no public exploit identified at time of analysis, and the issue is not on the CISA KEV list.

Technical ContextAI

The cdc-wdm driver (drivers/usb/class/cdc-wdm.c) exposes a character device for USB Communication Device Class management endpoints, commonly used by mobile broadband modems (MBIM, QMI) to deliver out-of-band control messages to userspace. The bug is a CWE-125 (Out-of-bounds Read) realized as a data race on the desc->length field: under the Linux Kernel Memory Model (LKMM), the compiler or CPU may reorder the plain write to desc->length ahead of the memmove() that populates the buffer, so a concurrent wdm_read() can read the new length and then copy_to_user() bytes that have not yet been written. The fix introduces WRITE_ONCE() and explicit memory barriers to enforce the required happens-before ordering between the buffer copy and the length publication.

RemediationAI

Vendor-released patch: upgrade to a fixed Linux stable release matching your branch - 5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, or mainline 7.0 - or apply the corresponding upstream commits (e.g. https://git.kernel.org/stable/c/4ee3062bf2c9a722afef429826e8607eaf3fc6a0 and the companion stable backports listed above). For distribution kernels, pick up the vendor kernel package that incorporates these commits and reboot. Where patching is delayed, compensating controls include unloading the cdc_wdm module (modprobe -r cdc_wdm) or blacklisting it where USB CDC-WDM devices (cellular modems, MBIM/QMI dongles) are not required - at the cost of losing modem management functionality - and restricting which users can access /dev/cdc-wdm* via udev rules to reduce the local attack surface, since the race is triggered through the read() path on that character device.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-28733 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy