CVE-2026-43255
Analyzed Analyzed - Analysis Complete
USB URB Race Condition in Linux Kernel

Publication date: 2026-05-06

Last updated on: 2026-05-11

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: wifi: libertas: fix WARNING in usb_tx_block The function usb_tx_block() submits cardp->tx_urb without ensuring that any previous transmission on this URB has completed. If a second call occurs while the URB is still active (e.g. during rapid firmware loading), usb_submit_urb() detects the active state and triggers a warning: 'URB submitted while active'. Fix this by enforcing serialization: call usb_kill_urb() before submitting the new request. This ensures the URB is idle and safe to reuse.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-11
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-43255
EUVD
EUVD-2026-27814
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.2 (inc) to 6.6.128 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.75 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.16 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.6 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.202 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.165 (exc)
linux linux_kernel From 2.6.22 (inc) to 5.10.252 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's libertas wifi driver, specifically in the usb_tx_block() function. The function submits a transmission request (tx_urb) without checking if a previous transmission on the same request has completed. If a second submission occurs while the first is still active, it triggers a warning 'URB submitted while active'. This happens, for example, during rapid firmware loading.

The issue is fixed by enforcing serialization: before submitting a new request, the function usb_kill_urb() is called to ensure the previous request is idle and safe to reuse.

Impact Analysis

This vulnerability can cause warnings and potentially unstable behavior in the wifi driver due to submitting USB requests while previous ones are still active. This may lead to transmission errors or unexpected behavior during rapid firmware loading, possibly affecting wifi performance or reliability.

Detection Guidance

This vulnerability triggers a warning message 'URB submitted while active' in the Linux kernel when the usb_tx_block() function submits a transmission request while a previous one is still active.

To detect this vulnerability on your system, you can monitor the kernel logs for this specific warning message.

  • Use the command: dmesg | grep 'URB submitted while active'
  • Alternatively, check the system journal logs with: journalctl -k | grep 'URB submitted while active'
Mitigation Strategies

The vulnerability is fixed by enforcing serialization in the usb_tx_block() function, specifically by calling usb_kill_urb() before submitting a new URB request to ensure the previous transmission is complete.

Immediate mitigation steps include updating your Linux kernel to a version that includes this fix.

If updating is not immediately possible, monitoring for the warning and avoiding rapid firmware loading that triggers multiple usb_submit_urb() calls in quick succession may reduce the risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43255. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart