Description
In the Linux kernel, the following vulnerability has been resolved:

net: usb: aqc111: Do not perform PM inside suspend callback

syzbot reports "task hung in rpm_resume"

This is caused by aqc111_suspend calling
the PM variant of its write_cmd routine.

The simplified call trace looks like this:

rpm_suspend()
usb_suspend_both() - here udev->dev.power.runtime_status == RPM_SUSPENDING
aqc111_suspend() - called for the usb device interface
aqc111_write32_cmd()
usb_autopm_get_interface()
pm_runtime_resume_and_get()
rpm_resume() - here we call rpm_resume() on our parent
rpm_resume() - Here we wait for a status change that will never happen.

At this point we block another task which holds
rtnl_lock and locks up the whole networking stack.

Fix this by replacing the write_cmd calls with their _nopm variants
Published: 2026-04-03
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via Network Stack Lock
Action: Apply Patch
AI Analysis

Impact

The aqc111 USB driver in the Linux kernel performs a power‑management write operation while handling a suspend callback. This action triggers a runtime PM resume that never completes, causing the task to block the networking lock and freeze the entire network stack. The result is a denial of network service for the affected system. The flaw is classified as a resource acquisition or use problem (CWE‑833).

Affected Systems

Any Linux kernel that includes the unchanged aqc111 driver is vulnerable. All distributions shipping a kernel with this driver module, without the patch, are at risk. The vulnerability applies across the Linux kernel project and its variants. No specific kernel release series is listed, so pending existence of the code implies broad coverage.

Risk and Exploitability

Exploit probability is reported as less than 1 % and the issue is not listed as a known exploited vulnerability. The vector is inferred as local; an attacker would need to manage the USB bus or provoke a suspend cycle on a connected aqc111 device inside the physical environment of the target. If successful, the impact would be a loss of network connectivity until the system is rebooted or the lock released. The overall risk is moderate due to the low likelihood yet critical effect on availability.

Generated by OpenCVE AI on April 7, 2026 at 10:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a version that replaces the PM‑aware write routine in aqc111 with a PM‑free variant.
  • Confirm the update by checking release notes or the driver source for the applied fix.
  • If a kernel update cannot be applied immediately, disable runtime power management for the affected USB device by setting its power control sysfs entry to "none" or "auto" to prevent the suspend callback from executing the vulnerable code.

Generated by OpenCVE AI on April 7, 2026 at 10:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:5.0:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Tue, 07 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-833
References

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: usb: aqc111: Do not perform PM inside suspend callback syzbot reports "task hung in rpm_resume" This is caused by aqc111_suspend calling the PM variant of its write_cmd routine. The simplified call trace looks like this: rpm_suspend() usb_suspend_both() - here udev->dev.power.runtime_status == RPM_SUSPENDING aqc111_suspend() - called for the usb device interface aqc111_write32_cmd() usb_autopm_get_interface() pm_runtime_resume_and_get() rpm_resume() - here we call rpm_resume() on our parent rpm_resume() - Here we wait for a status change that will never happen. At this point we block another task which holds rtnl_lock and locks up the whole networking stack. Fix this by replacing the write_cmd calls with their _nopm variants
Title net: usb: aqc111: Do not perform PM inside suspend callback
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-18T08:58:58.160Z

Reserved: 2026-01-13T15:37:46.019Z

Link: CVE-2026-23446

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T16:16:30.317

Modified: 2026-04-23T20:57:00.913

Link: CVE-2026-23446

cve-icon Redhat

Severity :

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-23446 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:53:56Z

Weaknesses