CVE-2026-23446
Deadlock Vulnerability in Linux aqc111 USB Driver During Suspend
Publication date: 2026-04-03
Last updated on: 2026-04-23
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 5.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | From 6.2 (inc) to 6.6.130 (exc) |
| linux | linux_kernel | From 5.11 (inc) to 5.15.203 (exc) |
| linux | linux_kernel | From 5.16 (inc) to 6.1.167 (exc) |
| linux | linux_kernel | From 6.7 (inc) to 6.12.78 (exc) |
| linux | linux_kernel | From 6.13 (inc) to 6.18.20 (exc) |
| linux | linux_kernel | From 6.19 (inc) to 6.19.10 (exc) |
| linux | linux_kernel | From 5.0.1 (inc) to 5.10.253 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's USB driver for the aqc111 device. It occurs because the aqc111_suspend function calls the power management (PM) variant of its write_cmd routine during a suspend callback. This leads to a deadlock situation where the system waits indefinitely for a status change that never happens, causing a task to hang in rpm_resume.
Specifically, during the suspend process, the call sequence involves rpm_suspend(), usb_suspend_both(), aqc111_suspend(), aqc111_write32_cmd(), usb_autopm_get_interface(), pm_runtime_resume_and_get(), and rpm_resume(). The problem arises when rpm_resume() is called on the parent device, which waits for a status change that never occurs, blocking another task holding the rtnl_lock and locking up the entire networking stack.
The fix for this vulnerability is to replace the write_cmd calls with their _nopm variants to avoid performing power management operations inside the suspend callback.
How can this vulnerability impact me? :
This vulnerability can cause the networking stack in the Linux kernel to lock up due to a deadlock situation. When the task hangs in rpm_resume, it blocks other tasks that hold critical locks like rtnl_lock, effectively freezing network-related operations.
As a result, systems using the affected Linux kernel and the aqc111 USB driver may experience network outages or degraded performance, potentially impacting availability and reliability of network services.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability manifests as a task hung in rpm_resume, causing a lockup in the networking stack due to a blocked task holding rtnl_lock.
Detection can focus on identifying hung tasks related to rpm_resume and usb suspend callbacks, especially involving the aqc111 USB device interface.
You can check for hung tasks and kernel stack traces using commands like:
- dmesg | grep -i 'task hung in rpm_resume'
- cat /proc/interrupts
- ps -eo state,pid,cmd | grep D # to find tasks in uninterruptible sleep
- echo w > /proc/sysrq-trigger # to dump all kernel stacks and look for rpm_resume or aqc111_suspend
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is caused by the aqc111_suspend function calling the PM variant of its write_cmd routine, which leads to a deadlock.
The fix involves replacing the write_cmd calls with their _nopm variants to avoid performing power management operations inside the suspend callback.
Immediate mitigation steps include:
- Update the Linux kernel to a version where this issue is fixed.
- If updating is not immediately possible, avoid suspending the affected USB device or disable runtime power management for the aqc111 device.
- Monitor for hung tasks and reboot if the networking stack becomes unresponsive.