CVE-2026-43427
Analyzed Analyzed - Analysis Complete
USB CDC-WDM Memory Corruption in Linux Kernel

Publication date: 2026-05-08

Last updated on: 2026-05-20

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: usb: class: cdc-wdm: fix reordering issue in read code path Quoting the bug report: Due to compiler optimization or CPU out-of-order execution, the desc->length update can be reordered before the memmove. If this happens, wdm_read() can see the new length and call copy_to_user() on uninitialized memory. This also violates LKMM data race rules [1]. Fix it by using WRITE_ONCE and memory barriers.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-20
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-43427
EUVD
EUVD-2026-28733
Affected Vendors & Products
Showing 21 associated CPEs
Vendor Product Version / Range
linux linux_kernel 2.6.26
linux linux_kernel 2.6.26
linux linux_kernel 2.6.26
linux linux_kernel 2.6.26
linux linux_kernel 2.6.26
linux linux_kernel 2.6.26
linux linux_kernel 2.6.26
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.2 (inc) to 6.6.130 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.167 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.19 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.78 (exc)
linux linux_kernel From 2.6.26.1 (inc) to 5.10.253 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's usb class driver for cdc-wdm devices. It is caused by a reordering issue in the read code path where, due to compiler optimization or CPU out-of-order execution, an update to the descriptor length can occur before a memory move operation completes. As a result, the read function (wdm_read) might see an updated length and attempt to copy data to user space from uninitialized memory, which is unsafe and violates kernel memory model data race rules.

The issue was fixed by using WRITE_ONCE and memory barriers to ensure proper ordering of operations and prevent this unsafe behavior.

Impact Analysis

This vulnerability can lead to the Linux kernel copying uninitialized memory to user space during read operations on cdc-wdm devices. This may cause information leakage of sensitive kernel memory contents or lead to unpredictable behavior or crashes in applications relying on this data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43427. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart