CVE-2026-43428
Analyzed Analyzed - Analysis Complete
USB Timeout Handling Fix in Linux Kernel

Publication date: 2026-05-08

Last updated on: 2026-05-20

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: USB: core: Limit the length of unkillable synchronous timeouts The usb_control_msg(), usb_bulk_msg(), and usb_interrupt_msg() APIs in usbcore allow unlimited timeout durations. And since they use uninterruptible waits, this leaves open the possibility of hanging a task for an indefinitely long time, with no way to kill it short of unplugging the target device. To prevent this sort of problem, enforce a maximum limit on the length of these unkillable timeouts. The limit chosen here, somewhat arbitrarily, is 60 seconds. On many systems (although not all) this is short enough to avoid triggering the kernel's hung-task detector. In addition, clear up the ambiguity of negative timeout values by treating them the same as 0, i.e., using the maximum allowed timeout.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-20
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-43428
EUVD
EUVD-2026-28734
Affected Vendors & Products
Showing 16 associated CPEs
Vendor Product Version / Range
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.2 (inc) to 6.6.130 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.167 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.19 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.78 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.9 (exc)
linux linux_kernel From 2.6.12.1 (inc) to 5.10.253 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's USB core, specifically in the usb_control_msg(), usb_bulk_msg(), and usb_interrupt_msg() APIs. These APIs allow unkillable synchronous timeouts with unlimited duration, meaning a task can hang indefinitely without any way to kill it except by unplugging the device. The issue arises because these APIs use uninterruptible waits, which can cause a task to become stuck for an unlimited time.

The vulnerability was addressed by enforcing a maximum timeout limit of 60 seconds on these unkillable synchronous timeouts. Additionally, negative timeout values are treated as zero, which means the maximum allowed timeout is used, removing ambiguity.

Impact Analysis

This vulnerability can cause tasks in the Linux kernel to hang indefinitely when using certain USB APIs, leading to system instability or unresponsiveness. Since the tasks are in uninterruptible wait states, they cannot be killed or stopped normally, potentially requiring physical intervention such as unplugging the USB device to recover.

Such hangs could disrupt normal system operations, degrade performance, or cause denial of service conditions on systems relying on USB devices.

Mitigation Strategies

To mitigate this vulnerability, ensure that your Linux kernel is updated to a version where the USB core limits the length of unkillable synchronous timeouts to a maximum of 60 seconds.

This update enforces a maximum timeout limit on usb_control_msg(), usb_bulk_msg(), and usb_interrupt_msg() APIs, preventing tasks from hanging indefinitely.

If updating the kernel is not immediately possible, consider unplugging USB devices that may cause the system to hang due to unkillable synchronous timeouts.

Detection Guidance

This vulnerability involves the Linux kernel's USB core APIs allowing unkillable synchronous timeouts that can hang tasks indefinitely. Detection would involve monitoring for processes stuck in uninterruptible sleep states (usually 'D' state) related to USB operations.

You can use commands like 'ps' or 'top' to identify processes in uninterruptible sleep. For example, running 'ps aux | grep D' can show processes stuck in the 'D' state.

Additionally, checking kernel logs (e.g., using 'dmesg' or 'journalctl') for hung-task detector messages or USB-related errors may help identify symptoms of this issue.

Since the vulnerability relates to USB control, bulk, and interrupt messages with unlimited timeouts, monitoring USB device behavior and any tasks interacting with USB devices for hangs or unresponsiveness is recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43428. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart