PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43430 Linux CVE debrief

CVE-2026-43430 is a Linux kernel race condition in the usb:yurex probe path. The issue is an ordering bug: the descriptor's bbu field must be set to the uninitialized sentinel before the URB is submitted, otherwise probe can race with the URB completion handler and overwrite data that has already been retrieved. NVD rates the issue 4.7/10 (MEDIUM) with a local attack vector, high attack complexity, low privileges, and availability impact only.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 4.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-20
Advisory published
2026-05-08
Advisory updated
2026-05-20

Who should care

Linux kernel maintainers, distro security teams, and administrators of systems that ship or use the yurex USB driver should care most. Exposure is most relevant where the affected driver is present in the running kernel.

Technical summary

The vulnerability is a CWE-362 race condition in the yurex USB driver probe logic. According to the supplied description, the bbu member of the descriptor must be initialized to the 'uninitialized' value before the URB is submitted; otherwise there is a window where probe can overwrite data already set by the URB completion handler. NVD classifies the issue as CVSS 3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H and marks multiple Linux kernel release lines as vulnerable, with stable fixes referenced for the affected branches.

Defensive priority

Medium. The issue is local, requires low privileges, and has high attack complexity, but it affects kernel code and can impact availability; patching should be prioritized on any system that includes the yurex driver.

Recommended defensive actions

  • Upgrade to a fixed Linux kernel release in your branch: 5.10.253 or later, 5.15.203 or later, 6.1.167 or later, 6.6.130 or later, 6.12.78 or later, 6.18.19 or later, or 6.19.9 or later, as applicable to your deployment.
  • Apply the upstream stable patches referenced in the official kernel.org links provided for this CVE.
  • Confirm whether your fleet actually includes the yurex USB driver; systems that do not use the driver have lower practical exposure, but kernel updates are still the safest remediation path.
  • After patching, verify running kernel versions and reboot into the fixed build where required.
  • Track vendor backports and distro advisories if you consume packaged kernels rather than upstream stable releases.

Evidence notes

Source evidence is limited to the supplied CVE/NVD corpus and official kernel.org patch links. The CVE description states that the yurex probe path can race unless descriptor.bbu is set before URB submission, because completion can otherwise overwrite already retrieved data. NVD marks the record as analyzed, assigns CVSS 3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H, and maps it to CWE-362. NVD's affected CPE criteria list Linux kernel ranges starting at 2.6.37 and ending at the specified fixed release boundaries for each tracked branch, plus 7.0 rc1 through rc7. No KEV listing was provided.

Official resources

Publicly disclosed in the CVE/NVD record on 2026-05-08 and last modified by NVD on 2026-05-20. No KEV entry was included in the supplied data.