CVE-2026-43180
Undergoing Analysis Undergoing Analysis - In Progress
USB Network Driver Race Condition in Linux Kernel

Publication date: 2026-05-06

Last updated on: 2026-05-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: usb: kaweth: remove TX queue manipulation in kaweth_set_rx_mode kaweth_set_rx_mode(), the ndo_set_rx_mode callback, calls netif_stop_queue() and netif_wake_queue(). These are TX queue flow control functions unrelated to RX multicast configuration. The premature netif_wake_queue() can re-enable TX while tx_urb is still in-flight, leading to a double usb_submit_urb() on the same URB: kaweth_start_xmit() { netif_stop_queue(); usb_submit_urb(kaweth->tx_urb); } kaweth_set_rx_mode() { netif_stop_queue(); netif_wake_queue(); // wakes TX queue before URB is done } kaweth_start_xmit() { netif_stop_queue(); usb_submit_urb(kaweth->tx_urb); // URB submitted while active } This triggers the WARN in usb_submit_urb(): "URB submitted while active" This is a similar class of bug fixed in rtl8150 by - commit 958baf5eaee3 ("net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast"). Also kaweth_set_rx_mode() is already functionally broken, the real set_rx_mode action is performed by kaweth_async_set_rx_mode(), which in turn is not a no-op only at ndo_open() time.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-08
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-43180
EUVD
EUVD-2026-27740
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's USB kaweth driver, specifically in the kaweth_set_rx_mode() function. The function incorrectly manipulates the transmit (TX) queue by calling netif_stop_queue() and netif_wake_queue(), which are meant for TX flow control but unrelated to receive (RX) multicast configuration.

Because netif_wake_queue() is called prematurely, it can re-enable the TX queue while a USB request block (URB) is still in flight. This leads to a double submission of the same URB via usb_submit_urb(), which triggers a warning "URB submitted while active".

The root cause is that kaweth_set_rx_mode() performs TX queue manipulation incorrectly, while the actual RX mode setting is done asynchronously by kaweth_async_set_rx_mode().

Impact Analysis

This vulnerability can cause instability or unexpected behavior in the USB network driver by submitting the same USB request block twice while it is still active. This may lead to warnings, potential data corruption, or driver malfunction.

Such issues could result in degraded network performance or loss of connectivity on devices using the affected driver.

Detection Guidance

This vulnerability can be detected by monitoring for the kernel warning message "URB submitted while active" which indicates that a USB Request Block (URB) was submitted while it was still active, a sign of the described bug in the kaweth driver.

You can check your system logs for this warning message using commands such as:

  • dmesg | grep "URB submitted while active"
  • journalctl -k | grep "URB submitted while active"

These commands search the kernel ring buffer or system journal for the specific warning that indicates the vulnerability is being triggered.

Mitigation Strategies

The vulnerability is resolved by removing the premature call to netif_wake_queue() in the kaweth_set_rx_mode() function to prevent the TX queue from being re-enabled while a USB Request Block (URB) is still in-flight.

Immediate mitigation steps include:

  • Update your Linux kernel to a version that includes the fix removing the TX queue manipulation in kaweth_set_rx_mode.
  • Avoid using the kaweth USB network driver if possible until the fix is applied.
  • Monitor system logs for the "URB submitted while active" warning to detect if the issue is occurring.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43180. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart