PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43342 Linux CVE debrief

CVE-2026-43342 affects the Linux kernel’s USB gadget RNDIS function. The issue is a race condition in class, subclass, and protocol option handling when those values are accessed concurrently through configfs. The fix uses an existing mutex to serialize access; the issue was identified during code inspection.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 4.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-18
Advisory published
2026-05-08
Advisory updated
2026-05-18

Who should care

Linux kernel maintainers, distro security teams, and operators who use USB gadget/RNDIS functionality on affected kernels should prioritize this advisory.

Technical summary

NVD describes the flaw as a CWE-362 race condition in usb: gadget: f_rndis, where class/subclass/protocol options can be accessed concurrently via configfs. That concurrency can create inconsistent state and, per CVSS, has potential availability impact (A:H) with local access required (AV:L) and high attack complexity (AC:H). The NVD record links multiple Linux stable patch references, and the vulnerable version ranges include kernels from 4.14 up to the listed fixed cutoffs, plus Linux 7.0 rc1 through rc6 entries.

Defensive priority

Medium. Prioritize patching if your environment exposes USB gadget/RNDIS functionality or ships kernels in the affected ranges, because the flaw can affect availability even though it requires local access and high attack complexity.

Recommended defensive actions

  • Upgrade to a kernel build that includes the stable fix for your branch; NVD lists non-vulnerable cutoffs at 5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, and 6.19.12.
  • If you cannot upgrade immediately, reduce exposure by disabling or limiting unnecessary USB gadget/RNDIS configfs functionality on systems that do not require it.
  • Confirm your vendor kernel has backported the relevant Linux stable patch rather than relying only on upstream branch numbers.
  • Check affected systems for use of f_rndis configfs option writes and ensure they are running a patched kernel before enabling related workflows.
  • Track distro or vendor advisories tied to the kernel.org stable patch references included with the CVE record.

Evidence notes

The source corpus states that CVE-2026-43342 is in Linux kernel usb: gadget: f_rndis and that the class/subclass/protocol options were susceptible to race conditions through concurrent configfs access. It also states the fix is to protect those options with an existing mutex and that the issue was identified during code inspection. NVD marks the CVE as analyzed, assigns CVSS 3.1 vector AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H with score 4.7, and lists CWE-362. The record includes stable kernel patch links and vulnerable version ranges spanning multiple supported kernel lines.

Official resources

CVE published by NVD/CVE on 2026-05-08 and modified on 2026-05-18. The source record ties the issue to kernel stable patch references and notes it was found during code inspection.