CVE-2026-23446
Received Received - Intake
Deadlock Vulnerability in Linux aqc111 USB Driver During Suspend

Publication date: 2026-04-03

Last updated on: 2026-04-23

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: usb: aqc111: Do not perform PM inside suspend callback syzbot reports "task hung in rpm_resume" This is caused by aqc111_suspend calling the PM variant of its write_cmd routine. The simplified call trace looks like this: rpm_suspend() usb_suspend_both() - here udev->dev.power.runtime_status == RPM_SUSPENDING aqc111_suspend() - called for the usb device interface aqc111_write32_cmd() usb_autopm_get_interface() pm_runtime_resume_and_get() rpm_resume() - here we call rpm_resume() on our parent rpm_resume() - Here we wait for a status change that will never happen. At this point we block another task which holds rtnl_lock and locks up the whole networking stack. Fix this by replacing the write_cmd calls with their _nopm variants
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-04-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23446
EUVD
EUVD-2026-18692
Affected Vendors & Products
Showing 15 associated CPEs
Vendor Product Version / Range
linux linux_kernel 5.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.2 (inc) to 6.6.130 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.167 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.78 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.20 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.10 (exc)
linux linux_kernel From 5.0.1 (inc) to 5.10.253 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's USB driver for the aqc111 device. It occurs because the aqc111_suspend function calls the power management (PM) variant of its write_cmd routine during a suspend callback. This leads to a deadlock situation where the system waits indefinitely for a status change that never happens, causing a task to hang in rpm_resume.

Specifically, during the suspend process, the call sequence involves rpm_suspend(), usb_suspend_both(), aqc111_suspend(), aqc111_write32_cmd(), usb_autopm_get_interface(), pm_runtime_resume_and_get(), and rpm_resume(). The problem arises when rpm_resume() is called on the parent device, which waits for a status change that never occurs, blocking another task holding the rtnl_lock and locking up the entire networking stack.

The fix for this vulnerability is to replace the write_cmd calls with their _nopm variants to avoid performing power management operations inside the suspend callback.

Impact Analysis

This vulnerability can cause the networking stack in the Linux kernel to lock up due to a deadlock situation. When the task hangs in rpm_resume, it blocks other tasks that hold critical locks like rtnl_lock, effectively freezing network-related operations.

As a result, systems using the affected Linux kernel and the aqc111 USB driver may experience network outages or degraded performance, potentially impacting availability and reliability of network services.

Detection Guidance

This vulnerability manifests as a task hung in rpm_resume, causing a lockup in the networking stack due to a blocked task holding rtnl_lock.

Detection can focus on identifying hung tasks related to rpm_resume and usb suspend callbacks, especially involving the aqc111 USB device interface.

You can check for hung tasks and kernel stack traces using commands like:

  • dmesg | grep -i 'task hung in rpm_resume'
  • cat /proc/interrupts
  • ps -eo state,pid,cmd | grep D # to find tasks in uninterruptible sleep
  • echo w > /proc/sysrq-trigger # to dump all kernel stacks and look for rpm_resume or aqc111_suspend
Mitigation Strategies

The vulnerability is caused by the aqc111_suspend function calling the PM variant of its write_cmd routine, which leads to a deadlock.

The fix involves replacing the write_cmd calls with their _nopm variants to avoid performing power management operations inside the suspend callback.

Immediate mitigation steps include:

  • Update the Linux kernel to a version where this issue is fixed.
  • If updating is not immediately possible, avoid suspending the affected USB device or disable runtime power management for the aqc111 device.
  • Monitor for hung tasks and reboot if the networking stack becomes unresponsive.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23446. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart