PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43428 Linux CVE debrief

CVE-2026-43428 is a Linux kernel USB core availability issue affecting synchronous message APIs. Before the fix, usb_control_msg(), usb_bulk_msg(), and usb_interrupt_msg() could accept unlimited timeouts while waiting uninterruptibly, which could leave a task hung indefinitely unless the device was unplugged. The resolved change caps these unkillable timeouts at 60 seconds and treats negative timeout values like 0, removing the ambiguity.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-20
Advisory published
2026-05-08
Advisory updated
2026-05-20

Who should care

Linux kernel maintainers, distro backport teams, and operators of USB-dependent systems, especially embedded, kiosk, lab, and multi-user environments where local access or local software can trigger USB I/O and a stuck task is operationally disruptive.

Technical summary

The flaw is not a memory corruption bug; it is a kernel availability problem in usbcore. The affected APIs allowed arbitrarily long synchronous waits that could not be interrupted, so a caller could pin a task for an unlimited period. The fix introduces a maximum timeout of 60 seconds for these APIs and aligns negative timeout handling with 0 by using the maximum allowed timeout. NVD rates the issue CVSS 3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, reflecting a local, low-privilege path to high availability impact.

Defensive priority

Medium, with higher urgency on systems where USB devices are exposed to untrusted local users or where task hangs materially affect uptime.

Recommended defensive actions

  • Apply the kernel updates or stable backports that include the timeout-cap fix for usbcore.
  • Verify whether your maintained kernel branch is within the affected ranges listed by NVD and backport the fix if needed.
  • Review any in-tree or out-of-tree code that passes user-influenced or unusually large timeout values into usb_control_msg(), usb_bulk_msg(), or usb_interrupt_msg().
  • Prefer bounded, device-appropriate timeouts instead of relying on unbounded synchronous waits.
  • Watch for hung-task detector alerts or operational stalls on USB-heavy systems after deployment, and validate recurring device issues separately if hangs persist.

Evidence notes

This debrief is based on the CVE description and NVD metadata provided in the source corpus. The CVE was published on 2026-05-08 and last modified on 2026-05-20. NVD lists the issue as analyzed, cites official stable kernel patch references, and describes the affected Linux kernel ranges through 5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, and 6.19.9, plus older historical and release-candidate entries. The weakness classification is NVD-CWE-noinfo.

Official resources

Publicly disclosed on 2026-05-08; NVD last modified on 2026-05-20. Official patch references are included in the NVD record.