CVE-2026-43255
USB URB Race Condition in Linux Kernel
Publication date: 2026-05-06
Last updated on: 2026-05-06
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
| libertas | wifi | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's libertas wifi driver, specifically in the usb_tx_block() function. The function submits a transmission request (tx_urb) without checking if a previous transmission on the same request has completed. If a second submission occurs while the first is still active, it triggers a warning 'URB submitted while active'. This happens, for example, during rapid firmware loading.
The issue is fixed by enforcing serialization: before submitting a new request, the function usb_kill_urb() is called to ensure the previous request is idle and safe to reuse.
How can this vulnerability impact me? :
This vulnerability can cause warnings and potentially unstable behavior in the wifi driver due to submitting USB requests while previous ones are still active. This may lead to transmission errors or unexpected behavior during rapid firmware loading, possibly affecting wifi performance or reliability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability triggers a warning message 'URB submitted while active' in the Linux kernel when the usb_tx_block() function submits a transmission request while a previous one is still active.
To detect this vulnerability on your system, you can monitor the kernel logs for this specific warning message.
- Use the command: dmesg | grep 'URB submitted while active'
- Alternatively, check the system journal logs with: journalctl -k | grep 'URB submitted while active'
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed by enforcing serialization in the usb_tx_block() function, specifically by calling usb_kill_urb() before submitting a new URB request to ensure the previous transmission is complete.
Immediate mitigation steps include updating your Linux kernel to a version that includes this fix.
If updating is not immediately possible, monitoring for the warning and avoiding rapid firmware loading that triggers multiple usb_submit_urb() calls in quick succession may reduce the risk.