CVE-2026-43428
5.5 MEDIUMIn the Linux kernel, the following vulnerability has been resolved: USB: core: Limit the length of unkillable synchronous timeouts The ...
Published: 2026-05-08 · Last updated: 2026-05-20
Severity and scoring
- CVSS
- 5.5 MEDIUM
- Vector
- CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Affected products
| Vendor | Product |
|---|---|
| linux | linux_kernel |
Description
In the Linux kernel, the following vulnerability has been resolved: USB: core: Limit the length of unkillable synchronous timeouts The usb_control_msg(), usb_bulk_msg(), and usb_interrupt_msg() APIs in usbcore allow unlimited timeout durations. And since they use uninterruptible waits, this leaves open the possibility of hanging a task for an indefinitely long time, with no way to kill it short of unplugging the target device. To prevent this sort of problem, enforce a maximum limit on the length of these unkillable timeouts. The limit chosen here, somewhat arbitrarily, is 60 seconds. On many systems (although not all) this is short enough to avoid triggering the kernel's hung-task detector. In addition, clear up the ambiguity of negative timeout values by treating them the same as 0, i.e., using the maximum allowed timeout.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-43428
- [Patch]https://git.kernel.org/stable/c/06d2bbc4c66c6b0e8a43728c4949026026a5be67
- [Patch]https://git.kernel.org/stable/c/1015c27a5e1a63efae2b18a9901494474b4d1dc3
- [Patch]https://git.kernel.org/stable/c/24b31a227f679a942d820840a4dea7f0c09a387f
- [Patch]https://git.kernel.org/stable/c/2d34cb4d1d6283b4be9c78f4a83ed6956d3069ec
- [Patch]https://git.kernel.org/stable/c/4e86f5b79e62ded7e3c3ebd688cf5775e618148a
- [Patch]https://git.kernel.org/stable/c/64f3d75633aedc12bdff220e9a4337177430bd9d
- [Patch]https://git.kernel.org/stable/c/659c0c7d50a4b0f6aa197c4c098cfd91daf63862
- [Patch]https://git.kernel.org/stable/c/6c62935670acdbb7687ced20494923b66fbb0367
Related CVEs
Same vendor
- CVE-2026-46273 — In the Linux kernel, the following vulnerability has been resolved: ibmveth: Disable GSO for packets with small MSS Some physical adapt... (8.6 HIGH)
- CVE-2026-46272 — In the Linux kernel, the following vulnerability has been resolved: coresight: tmc-etr: Fix race condition between sysfs and perf mode ... (4.7 MEDIUM)
- CVE-2026-46271 — In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: do WoW offloads only on primary link In case of multi... (7.8 HIGH)
- CVE-2026-46270 — In the Linux kernel, the following vulnerability has been resolved: power: supply: rt9455: Fix use-after-free in power_supply_changed() ... (8.4 HIGH)
- CVE-2026-46269 — In the Linux kernel, the following vulnerability has been resolved: pinctrl: canaan: k230: Fix NULL pointer dereference when parsing dev... (5.5 MEDIUM)