PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43429 Linux CVE debrief

CVE-2026-43429 is a Linux kernel USB usbtmc issue where user-specified ioctl timeout values could be passed into usb_bulk_msg() calls that used unkillable waits. The fix changes those paths to usb_bulk_msg_killable(), reducing the risk that a local user can keep a kernel thread waiting indefinitely or for an excessively long time.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-20
Advisory published
2026-05-08
Advisory updated
2026-05-20

Who should care

Linux system maintainers, kernel patch managers, and administrators running systems with the USBTMC driver enabled or exposed to local users. It is most relevant where local access is possible and where availability of the kernel or a dependent service is important.

Technical summary

According to the CVE description, the usbtmc driver accepts timeout values from a user ioctl and uses them in some usb_bulk_msg() calls. Because usb_bulk_msg() uses unkillable waits, a user could supply an arbitrarily long timeout and cause a kernel thread to remain blocked. The kernel fix switches those calls to usb_bulk_msg_killable() so the wait can be interrupted instead of hanging indefinitely. NVD rates the issue CVSS 3.1 5.5/Medium with AV:L/PR:L/UI:N and impact concentrated on availability (A:H).

Defensive priority

Medium priority: the issue is local and availability-focused, but it can block kernel work for an unbounded time when USBTMC is in use. Patch or backport the kernel fix on affected systems that expose this driver to local users.

Recommended defensive actions

  • Apply the upstream Linux kernel fix or backport the stable patch set referenced by NVD.
  • Prioritize updates for kernels in the affected ranges listed by NVD, especially if USBTMC is enabled in your environment.
  • Review whether untrusted local users can access USBTMC-related ioctl interfaces on your systems.
  • If immediate patching is not possible, restrict local access and monitor for abnormal hangs in kernel threads related to USB device interactions.
  • Track your kernel vendor's advisory or stable release that includes the usb_bulk_msg_killable() change.

Evidence notes

This debrief is based only on the supplied CVE/NVD corpus and official references. The CVE was published on 2026-05-08 and last modified on 2026-05-20. NVD marks the vulnerability as analyzed and links multiple stable.kernel.org patch references. NVD also lists affected Linux kernel version ranges spanning 4.19 through 6.19.9, plus several 7.0 release candidates. The weakness field is NVD-CWE-noinfo, so no narrower CWE is asserted here.

Official resources

Publicly disclosed in the CVE/NVD record on 2026-05-08 and last modified on 2026-05-20. NVD includes stable.kernel.org patch references for remediation.