CVE-2026-43180
USB Network Driver Race Condition in Linux Kernel
Publication date: 2026-05-06
Last updated on: 2026-05-06
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's USB kaweth driver, specifically in the kaweth_set_rx_mode() function. The function incorrectly manipulates the transmit (TX) queue by calling netif_stop_queue() and netif_wake_queue(), which are meant for TX flow control but unrelated to receive (RX) multicast configuration.
Because netif_wake_queue() is called prematurely, it can re-enable the TX queue while a USB request block (URB) is still in flight. This leads to a double submission of the same URB via usb_submit_urb(), which triggers a warning "URB submitted while active".
The root cause is that kaweth_set_rx_mode() performs TX queue manipulation incorrectly, while the actual RX mode setting is done asynchronously by kaweth_async_set_rx_mode().
How can this vulnerability impact me? :
This vulnerability can cause instability or unexpected behavior in the USB network driver by submitting the same USB request block twice while it is still active. This may lead to warnings, potential data corruption, or driver malfunction.
Such issues could result in degraded network performance or loss of connectivity on devices using the affected driver.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for the kernel warning message "URB submitted while active" which indicates that a USB Request Block (URB) was submitted while it was still active, a sign of the described bug in the kaweth driver.
You can check your system logs for this warning message using commands such as:
- dmesg | grep "URB submitted while active"
- journalctl -k | grep "URB submitted while active"
These commands search the kernel ring buffer or system journal for the specific warning that indicates the vulnerability is being triggered.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is resolved by removing the premature call to netif_wake_queue() in the kaweth_set_rx_mode() function to prevent the TX queue from being re-enabled while a USB Request Block (URB) is still in-flight.
Immediate mitigation steps include:
- Update your Linux kernel to a version that includes the fix removing the TX queue manipulation in kaweth_set_rx_mode.
- Avoid using the kaweth USB network driver if possible until the fix is applied.
- Monitor system logs for the "URB submitted while active" warning to detect if the issue is occurring.