PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43425 Linux CVE debrief

CVE-2026-43425 is a Linux kernel USB driver issue in the mdc800 path. If mdc800_device_read() times out while waiting for download_urb completion, it can return without killing the URB, so a later read() may resubmit an URB that is still active and trigger the warning “URB submitted while active.” NVD rates this as medium severity with local, low-privilege access and high availability impact.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-20
Advisory published
2026-05-08
Advisory updated
2026-05-20

Who should care

Linux kernel maintainers, distro security teams, and operators of systems that use the mdc800 USB image driver should review this issue. It is most relevant where the affected kernel versions are deployed and the driver may be present or loadable.

Technical summary

The bug is a timeout-handling flaw in usb: image: mdc800. The read path submits download_urb and waits for completion; on timeout, it previously returned without cancelling the URB. That leaves the request in flight, and a subsequent read() can try to submit the same URB again, which triggers the usb_submit_urb() warning. The fix is to check the return value of wait_event_timeout() and kill the URB when a timeout occurs before inspecting status or resubmitting. NVD lists affected Linux kernel version ranges spanning older 2.6.12 releases and multiple stable series up through the listed end-excluded versions.

Defensive priority

Medium. This is not marked as a known exploited vulnerability in the supplied data, but it can affect kernel availability and generate repeated warnings or denial-of-service conditions on systems using the driver.

Recommended defensive actions

  • Apply the upstream/stable kernel patches linked by NVD for CVE-2026-43425.
  • Upgrade to a Linux kernel release that includes the fix for the affected branch you run.
  • If you cannot patch immediately, minimize use of the mdc800 driver on affected systems and monitor for repeated USB kernel warnings.
  • Inventory kernels against the NVD affected version ranges before and after remediation.

Evidence notes

The CVE description states that mdc800_device_read() can return on wait_event_timeout() expiration without killing download_urb, leaving the URB active and enabling a later read() to resubmit it. NVD marks the issue as analyzed with CVSS 3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H and provides multiple kernel patch references. The supplied NVD CPE criteria list affected Linux kernel ranges ending before 5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, and 6.19.9, plus the specific early 2.6.12 and 7.0 release-candidate entries.

Official resources

Published 2026-05-08T15:16:54.620Z; last modified 2026-05-20T18:35:46.093Z. NVD vulnStatus is Analyzed in the supplied source item.