CVE-2026-43170 - Vulnerability Details

- usb: dwc3: gadget: Move vbus draw to workqueue context

Description

In the Linux kernel, the following vulnerability has been resolved:

usb: dwc3: gadget: Move vbus draw to workqueue context

Currently dwc3_gadget_vbus_draw() can be called from atomic
context, which in turn invokes power-supply-core APIs. And
some these PMIC APIs have operations that may sleep, leading
to kernel panic.

Fix this by moving the vbus_draw into a workqueue context.

Published: 2026-05-06

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A kernel function that controls USB power draw was executing in an atomic context, inadvertently calling power‑management APIs that are allowed to block. Because these APIs can sleep, the function sometimes deadlocked the kernel, producing a crash. The fix moves the power draw operation into a workqueue so that sleeps are safe, eliminating the crash risk. The primary consequence of the vulnerability is an availability failure: a driver or attacker that triggers the buggy call could bring the system down by forcing a kernel panic.

Affected Systems

All Linux kernels that contain the dwc3 gadget subsystem prior to the patch that moved the vbus draw into a workqueue. The patch was applied to the mainline kernel; the exact version range is not specified, so any build from the time before the commit should be considered vulnerable.

Risk and Exploitability

No EPSS score is available and the CVE is not listed in CISA's KEV catalog, indicating low publicly known exploit activity. The issue is a local availability bug that requires ability to influence the USB gadget driver, so the attack vector is likely local or requires physical access. Given the severity of a kernel panic, the risk remains high if an attacker can trigger the condition; however, the lack of observed exploitation reduces immediate threat urgency. The vulnerability remains serious because a kernel crash can lead to data loss and denial of service.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`99288de36020c5a6976df77e53ac449b0f75c97f`	affected	< 76c1123ffccfaba95cf4ecc2a50f95504a522424
`99288de36020c5a6976df77e53ac449b0f75c97f`	affected	< a7a80c25b65112768eeba58a7af129d3c52a6d90
`99288de36020c5a6976df77e53ac449b0f75c97f`	affected	< 2333653ef854c2cc124077f71a8526f03bf6e06a
`99288de36020c5a6976df77e53ac449b0f75c97f`	affected	< 74a231e3d99d310497ab0ccb359539a6063b316a
`99288de36020c5a6976df77e53ac449b0f75c97f`	affected	< 54aaa3b387c2f580a99dc86a9cc2eb6dfaf599a7

Linux

affected

Version	Status	Constraints
`5.13`	affected	—
`0`	unaffected	< 5.13
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update your Linux kernel to a version that includes the merge commit fixing the atomic context issue
If updating immediately is not possible, disable the dwc3 USB gadget subsystem or reboot after any suspected crash to restore functionality
Restrict or monitor USB gadget usage on systems that expose the dwc3 driver to prevent accidental or malicious invocations

Generated by OpenCVE AI on May 6, 2026 at 14:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/2333653ef854c2cc124077f71a8526f03bf6e06a
https://git.kernel.org/stable/c/54aaa3b387c2f580a99dc86a9cc2eb6dfaf599a7
https://git.kernel.org/stable/c/74a231e3d99d310497ab0ccb359539a6063b316a
https://git.kernel.org/stable/c/76c1123ffccfaba95cf4ecc2a50f95504a522424
https://git.kernel.org/stable/c/a7a80c25b65112768eeba58a7af129d3c52a6d90

History

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: gadget: Move vbus draw to workqueue context Currently dwc3_gadget_vbus_draw() can be called from atomic context, which in turn invokes power-supply-core APIs. And some these PMIC APIs have operations that may sleep, leading to kernel panic. Fix this by moving the vbus_draw into a workqueue context.
Title		usb: dwc3: gadget: Move vbus draw to workqueue context
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/2333653ef854c2cc124077f71a8526f03bf6e06a https://git.kernel.org/stable/c/54aaa3b387c2f580a99dc86a9cc2eb6dfaf599a7 https://git.kernel.org/stable/c/74a231e3d99d310497ab0ccb359539a6063b316a https://git.kernel.org/stable/c/76c1123ffccfaba95cf4ecc2a50f95504a522424 https://git.kernel.org/stable/c/a7a80c25b65112768eeba58a7af129d3c52a6d90

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:27:46.021Z

Updated: 2026-05-06T11:27:46.021Z

Reserved: 2026-05-01T14:12:55.990Z

Link: CVE-2026-43170

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:35.320

Modified: 2026-05-06T13:07:51.607

Link: CVE-2026-43170

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-06T14:15:05Z

Weaknesses

No weakness.

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object