Description
In the Linux kernel, the following vulnerability has been resolved:

usb: usbtmc: Flush anchored URBs in usbtmc_release

When calling usbtmc_release, pending anchored URBs must be flushed or
killed to prevent use-after-free errors (e.g. in the HCD giveback
path). Call usbtmc_draw_down() to allow anchored URBs to be completed.
Published: 2026-05-01
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The kernel driver usbtmc releases pending anchored URBs without flushing or killing them, creating a use‑after‑free condition that can corrupt kernel memory and potentially cause system crashes. This flaw arises because usbtmc_release fails to handle anchored URBs properly, and the use of usbtmc_draw_down is required to let them complete safely. The vulnerability can lead to kernel memory corruption or crashes if an attacker controls a USB Test and Measurement Class device.

Affected Systems

All Linux kernel releases prior to the inclusion of the commit that fixes usbtmc_release are affected. The issue is present in the generic Linux kernel source and not limited to a specific version number, so any system running an unpatched kernel may be vulnerable.

Risk and Exploitability

The CVSS score of 7.0 indicates that the flaw has medium to high severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV. A local attacker who can attach a malicious USBTMC device can exploit the flaw by triggering usbtmc_release, leaving an anchored URB in a freed memory context, potentially causing a kernel panic or kernel memory corruption. The likely attack vector is local device attachment.

Generated by OpenCVE AI on May 2, 2026 at 11:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a version that incorporates the usbtmc_release fix.
  • Reboot the system after upgrading to ensure all USB devices are properly released.
  • Disable the usbtmc driver if it is not required, either by unloading the module or setting the appropriate sysfs parameter.

Generated by OpenCVE AI on May 2, 2026 at 11:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 01 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: usb: usbtmc: Flush anchored URBs in usbtmc_release When calling usbtmc_release, pending anchored URBs must be flushed or killed to prevent use-after-free errors (e.g. in the HCD giveback path). Call usbtmc_draw_down() to allow anchored URBs to be completed.
Title usb: usbtmc: Flush anchored URBs in usbtmc_release
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-01T14:14:48.390Z

Reserved: 2026-03-09T15:48:24.139Z

Link: CVE-2026-31758

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-01T15:16:38.807

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-31758

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31758 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T11:45:41Z

Weaknesses