CVE-2026-43170
USB Gadget VBUS Draw Race Condition in Linux Kernel
Publication date: 2026-05-06
Last updated on: 2026-05-06
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's USB driver for the dwc3 gadget. The function dwc3_gadget_vbus_draw() can be called from an atomic context, but it invokes power-supply-core APIs that may perform operations that can sleep. Since sleeping is not allowed in atomic context, this can lead to a kernel panic. The fix involves moving the vbus_draw operation into a workqueue context where sleeping is permitted.
How can this vulnerability impact me? :
This vulnerability can cause the Linux kernel to panic due to improper context usage when calling power management APIs. A kernel panic results in a system crash, which can lead to denial of service, system instability, and potential data loss or corruption.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability has been resolved by moving the vbus_draw operation into a workqueue context to avoid kernel panic caused by sleeping in atomic context.
To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.