Description
In the Linux kernel, the following vulnerability has been resolved:

net: usb: kaweth: remove TX queue manipulation in kaweth_set_rx_mode

kaweth_set_rx_mode(), the ndo_set_rx_mode callback, calls
netif_stop_queue() and netif_wake_queue(). These are TX queue flow
control functions unrelated to RX multicast configuration.

The premature netif_wake_queue() can re-enable TX while tx_urb is still
in-flight, leading to a double usb_submit_urb() on the same URB:

kaweth_start_xmit() {
netif_stop_queue();
usb_submit_urb(kaweth->tx_urb);
}

kaweth_set_rx_mode() {
netif_stop_queue();
netif_wake_queue(); // wakes TX queue before URB is done
}

kaweth_start_xmit() {
netif_stop_queue();
usb_submit_urb(kaweth->tx_urb); // URB submitted while active
}

This triggers the WARN in usb_submit_urb():

"URB submitted while active"

This is a similar class of bug fixed in rtl8150 by

- commit 958baf5eaee3 ("net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast").

Also kaweth_set_rx_mode() is already functionally broken, the
real set_rx_mode action is performed by kaweth_async_set_rx_mode(),
which in turn is not a no-op only at ndo_open() time.
Published: 2026-05-06
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw arises in the kaweth USB network driver in the Linux kernel, where the napi function kaweth_set_rx_mode() incorrectly calls netif_wake_queue() before the pending transmit USB Transfer Request Block (URB) has finished. This premature wake re‑enables the transmit queue, allowing a second usb_submit_urb() on the same URB while it is still active. The kernel emits a warning ‘URB submitted while active’, and repeated occurrences can result in kernel instability or a crash, effectively disrupting device operation and overall system availability.

Affected Systems

This vulnerability affects all Linux systems running a kernel with the kaweth driver until the patch that removes the TX queue manipulation in kaweth_set_rx_mode() is applied. The specific vendor and product are Linux kernels from any distribution that include the default kernel image containing the affected driver code; versions prior to the commit introducing the fix are impacted.

Risk and Exploitability

The attack vector is inferred to be local, requiring an attacker with the ability to trigger the setsockopt or similar system calls that cause a change in multicast mode on the device, which typically requires at least kernel or root privileges. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating limited current exploitation evidence. However, the potential for kernel panic makes the CVSS score high enough to warrant prompt remediation, especially in production environments that rely on the affected USB network interface.

Generated by OpenCVE AI on May 6, 2026 at 14:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the patch removing the netif_wake_queue call in kaweth_set_rx_mode()
  • If an immediate kernel update is not possible, disable the kaweth driver or unplug the affected USB network device to prevent further contention
  • As a temporary workaround, avoid performing multicast configuration changes on the device; monitor system logs for repeated usb_submit_urb warnings indicating residual activity

Generated by OpenCVE AI on May 6, 2026 at 14:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-753

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: usb: kaweth: remove TX queue manipulation in kaweth_set_rx_mode kaweth_set_rx_mode(), the ndo_set_rx_mode callback, calls netif_stop_queue() and netif_wake_queue(). These are TX queue flow control functions unrelated to RX multicast configuration. The premature netif_wake_queue() can re-enable TX while tx_urb is still in-flight, leading to a double usb_submit_urb() on the same URB: kaweth_start_xmit() { netif_stop_queue(); usb_submit_urb(kaweth->tx_urb); } kaweth_set_rx_mode() { netif_stop_queue(); netif_wake_queue(); // wakes TX queue before URB is done } kaweth_start_xmit() { netif_stop_queue(); usb_submit_urb(kaweth->tx_urb); // URB submitted while active } This triggers the WARN in usb_submit_urb(): "URB submitted while active" This is a similar class of bug fixed in rtl8150 by - commit 958baf5eaee3 ("net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast"). Also kaweth_set_rx_mode() is already functionally broken, the real set_rx_mode action is performed by kaweth_async_set_rx_mode(), which in turn is not a no-op only at ndo_open() time.
Title net: usb: kaweth: remove TX queue manipulation in kaweth_set_rx_mode
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-06T11:27:52.983Z

Reserved: 2026-05-01T14:12:55.991Z

Link: CVE-2026-43180

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:36.533

Modified: 2026-05-06T13:07:51.607

Link: CVE-2026-43180

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T16:15:06Z

Weaknesses