Description
In the Linux kernel, the following vulnerability has been resolved:

net: usb: r8152: fix resume reset deadlock

rtl8152 can trigger device reset during reset which
potentially can result in a deadlock:

**** DPM device timeout after 10 seconds; 15 seconds until panic ****
Call Trace:
<TASK>
schedule+0x483/0x1370
schedule_preempt_disabled+0x15/0x30
__mutex_lock_common+0x1fd/0x470
__rtl8152_set_mac_address+0x80/0x1f0
dev_set_mac_address+0x7f/0x150
rtl8152_post_reset+0x72/0x150
usb_reset_device+0x1d0/0x220
rtl8152_resume+0x99/0xc0
usb_resume_interface+0x3e/0xc0
usb_resume_both+0x104/0x150
usb_resume+0x22/0x110

The problem is that rtl8152 resume calls reset under
tp->control mutex while reset basically re-enters rtl8152
and attempts to acquire the same tp->control lock once
again.

Reset INACCESSIBLE device outside of tp->control mutex
scope to avoid recursive mutex_lock() deadlock.
Published: 2026-02-14
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Kernel deadlock leading to potential system hangs or panic
Action: Apply Kernel Update
AI Analysis

Impact

The vulnerability resides in the Linux kernel’s rtl8152 USB driver, where the resume routine calls reset while holding the device control mutex, and the reset path re‑enters the driver attempting to acquire the same mutex again. This recursive locking can trigger a deadlock that manifests as a DPM timeout after ten seconds and a kernel panic after an additional fifteen seconds, disrupting system availability. The flaw is an instance of resource exhaustion that causes an uncontrolled lock contention leading to a system halt and is classified as CWE‑667, rather than affecting confidentiality or integrity.

Affected Systems

Vulnerable kernels include Linux kernel version 6.19 release candidates 1 through 8. Any system running any of the rc8 variants or earlier pre‑release forms of that branch is impacted. The issue is resolved in later kernels beyond rc8, where the deadlock condition is eliminated.

Risk and Exploitability

With a CVSS score of 5.5 the weakness poses a moderate risk. Its EPSS score is below 1% and it is not listed in the CISA KEV catalog, implying a low probability of widespread exploitation. The likely attack vector requires local access that can trigger a USB resume event, such as removing and reconnecting an rtl8152 device. Once triggered, the deadlock may render the kernel unresponsive, enabling a denial‑of‑service scenario.

Generated by OpenCVE AI on April 18, 2026 at 18:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a release version that includes the rtl8152 deadlock fix, such as 6.19 rc9 or later
  • If an immediate kernel upgrade is not possible, apply the patch from the kernel commit that introduced the deadlock fix or use a vendor’s backport of the change
  • Configure the system to either disable automatic resume for the rtl8152 network adapter or monitor system logs for DPM timeout warnings to pre‑emptively reboot if a deadlock occurs

Generated by OpenCVE AI on April 18, 2026 at 18:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6141-1 linux security update
History

Thu, 19 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-667
CPEs cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Tue, 17 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Sat, 14 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: usb: r8152: fix resume reset deadlock rtl8152 can trigger device reset during reset which potentially can result in a deadlock: **** DPM device timeout after 10 seconds; 15 seconds until panic **** Call Trace: <TASK> schedule+0x483/0x1370 schedule_preempt_disabled+0x15/0x30 __mutex_lock_common+0x1fd/0x470 __rtl8152_set_mac_address+0x80/0x1f0 dev_set_mac_address+0x7f/0x150 rtl8152_post_reset+0x72/0x150 usb_reset_device+0x1d0/0x220 rtl8152_resume+0x99/0xc0 usb_resume_interface+0x3e/0xc0 usb_resume_both+0x104/0x150 usb_resume+0x22/0x110 The problem is that rtl8152 resume calls reset under tp->control mutex while reset basically re-enters rtl8152 and attempts to acquire the same tp->control lock once again. Reset INACCESSIBLE device outside of tp->control mutex scope to avoid recursive mutex_lock() deadlock.
Title net: usb: r8152: fix resume reset deadlock
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-02-14T16:27:16.869Z

Reserved: 2026-01-13T15:37:45.985Z

Link: CVE-2026-23188

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-14T17:15:56.600

Modified: 2026-03-19T18:04:07.167

Link: CVE-2026-23188

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-14T00:00:00Z

Links: CVE-2026-23188 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:15:06Z

Weaknesses