PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43427 Linux CVE debrief

CVE-2026-43427 is a Linux kernel vulnerability in the USB class cdc-wdm read path. According to the published description, a reordering issue can let desc->length be updated before the associated memmove completes, so wdm_read() may observe the new length and copy uninitialized memory to user space. NVD rates the issue HIGH with a 7.1 CVSS score and marks it as analyzed. The supplied record also points to stable kernel patches and affected release ranges across multiple supported kernel branches.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-20
Advisory published
2026-05-08
Advisory updated
2026-05-20

Who should care

Linux kernel maintainers, distro security teams, fleet administrators, and embedded/device vendors that ship affected Linux kernel builds should care. Systems that include the USB cdc-wdm driver in affected kernel versions are in scope for remediation.

Technical summary

The vulnerability is a memory-ordering/data-race problem in the usb: class: cdc-wdm read code path. The bug report quoted in the CVE description says compiler optimization or CPU out-of-order execution can reorder desc->length ahead of memmove, allowing wdm_read() to call copy_to_user() on uninitialized memory. NVD classifies the weakness as CWE-125 and assigns CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H. The described fix uses WRITE_ONCE and memory barriers to enforce ordering.

Defensive priority

High. The issue is locally reachable, requires low complexity, and can expose sensitive memory contents with possible availability impact per the CVSS record. Prioritize kernel updates for any affected systems, especially where USB cdc-wdm is present.

Recommended defensive actions

  • Update Linux kernel packages to a vendor release that includes the cdc-wdm read-path ordering fix.
  • Confirm your distribution’s backport or changelog includes the stable.kernel.org patch references associated with CVE-2026-43427.
  • Inventory hosts running kernel versions that fall within the affected ranges listed by NVD and schedule remediation first for exposed or high-value systems.
  • Reboot into the fixed kernel after patching so the corrected driver code is active.
  • Verify remediation using the vendor or kernel package advisory rather than version number alone, since backports may vary by distribution.

Evidence notes

Sources supplied for this record include the NVD CVE entry (vulnStatus: Analyzed) and the CVE description itself. The description states the bug is in usb: class: cdc-wdm and that the fix uses WRITE_ONCE plus memory barriers. NVD lists CWE-125 and CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H. The affected CPE ranges in the record span multiple Linux kernel branches, ending before fixed releases such as 5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, and 6.19.9. No KEV entry was provided in the supplied enrichment.

Official resources

Publicly disclosed in the CVE/NVD record on 2026-05-08 and updated by NVD on 2026-05-20 with analysis and patch references. The supplied enrichment does not indicate a CISA KEV listing.