CVE-2026-43180 - Vulnerability Details

- net: usb: kaweth: remove TX queue manipulation in kaweth_set_rx_mode

Description

In the Linux kernel, the following vulnerability has been resolved:

net: usb: kaweth: remove TX queue manipulation in kaweth_set_rx_mode

kaweth_set_rx_mode(), the ndo_set_rx_mode callback, calls
netif_stop_queue() and netif_wake_queue(). These are TX queue flow
control functions unrelated to RX multicast configuration.

The premature netif_wake_queue() can re-enable TX while tx_urb is still
in-flight, leading to a double usb_submit_urb() on the same URB:

kaweth_start_xmit() {
netif_stop_queue();
usb_submit_urb(kaweth->tx_urb);
}

kaweth_set_rx_mode() {
netif_stop_queue();
netif_wake_queue(); // wakes TX queue before URB is done
}

kaweth_start_xmit() {
netif_stop_queue();
usb_submit_urb(kaweth->tx_urb); // URB submitted while active
}

This triggers the WARN in usb_submit_urb():

"URB submitted while active"

This is a similar class of bug fixed in rtl8150 by

- commit 958baf5eaee3 ("net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast").

Also kaweth_set_rx_mode() is already functionally broken, the
real set_rx_mode action is performed by kaweth_async_set_rx_mode(),
which in turn is not a no-op only at ndo_open() time.

Published: 2026-05-06

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw lies in the kaweth USB network driver of the Linux kernel. The ndo_set_rx_mode callback, implemented by kaweth_set_rx_mode(), inappropriately calls netif_wake_queue() while a transmit USB Transfer Request Block (URB) is still active. This race condition allows a second usb_submit_urb() on the same URB, triggering the kernel WARN "URB submitted while active". Repeatedly invoking this routine can lead to kernel instability or crashes. The defect illustrates a concurrency race condition that can compromise system reliability.

Affected Systems

All Linux kernel images that include the kaweth driver before the commit that removed netif_wake_queue from kaweth_set_rx_mode are affected. Distribution kernels built from sources prior to the change exhibit the vulnerability. The precise kernel release numbers are not specified in the advisory, so any system running a pre‑patch kaweth driver on a USB Ethernet device is at risk.

Risk and Exploitability

The vulnerability requires an attacker to trigger a multicast configuration change that calls kaweth_set_rx_mode(). Based on the description, it is inferred that the likely attack vector is local; an attacker would need kernel or root privileges, or an application with the ability to alter network interface settings, to execute the fault. The CVSS score of 7.8 indicates high severity. The EPSS score is < 1%, indicating a very low exploitation probability, and the vulnerability is not listed in CISA KEV. Nevertheless, the recurrent WARNs can accumulate and destabilize the system, warranting prompt remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 443a830b1dc4f85c7560da59d4494b629feee215
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 586318c2730433184c6f1d21183e346ddf25e81d
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< a2cd4b4db315a845a5603d08c9d03b11ddfc799d
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< ef9b10a020503888eb6c8ed85a3d901a624ede4c
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 9c79b839a63980c7da7ec5db895198045e154112
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< fc393af769af845d9985e2845e49553d8f015a64
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 8367c0e90126426e60581e4c07e1ec4411a0f843
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 64868f5ecadeb359a49bc4485bfa7c497047f13a

Linux

affected

Version	Status	Constraints
`2.6.12`	affected	—
`0`	unaffected	< 2.6.12
`5.10.252`	unaffected	≤ 5.10.*
`5.15.202`	unaffected	≤ 5.15.*
`6.1.165`	unaffected	≤ 6.1.*
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:2.6.12:-::::::
	cpe:2.3:o:linux:linux_kernel:2.6.12:rc2::::::
	cpe:2.3:o:linux:linux_kernel:2.6.12:rc3::::::
	cpe:2.3:o:linux:linux_kernel:2.6.12:rc4::::::
	cpe:2.3:o:linux:linux_kernel:2.6.12:rc5::::::
	cpe:2.3:o:linux:linux_kernel:2.6.12:rc6::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,443a830b1dc4f85c7560da59d4494b629feee215)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,586318c2730433184c6f1d21183e346ddf25e81d)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,64868f5ecadeb359a49bc4485bfa7c497047f13a)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,8367c0e90126426e60581e4c07e1ec4411a0f843)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,9c79b839a63980c7da7ec5db895198045e154112)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,a2cd4b4db315a845a5603d08c9d03b11ddfc799d)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,ef9b10a020503888eb6c8ed85a3d901a624ede4c)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,fc393af769af845d9985e2845e49553d8f015a64)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`2.6.12`	affected	semver	—
`[0,2.6.12)`	unaffected	semver	—
`[5.10.252,5.10.*]`	unaffected	generic	—
`[5.15.202,5.15.*]`	unaffected	generic	—
`[6.1.165,6.1.*]`	unaffected	generic	—
`[6.6.128,6.6.*]`	unaffected	generic	—
`[6.12.75,6.12.*]`	unaffected	generic	—
`[6.18.16,6.18.*]`	unaffected	generic	—
`[6.19.6,6.19.*]`	unaffected	generic	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the patch removing netif_wake_queue from kaweth_set_rx_mode
Disable or unload the kaweth driver or disconnect the affected USB network device if an immediate kernel update is not available
As a temporary measure, avoid multicast configuration changes that trigger kaweth_set_rx_mode() and monitor system logs for repeated "URB submitted while active" warnings

Generated by OpenCVE AI on May 12, 2026 at 22:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4606-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/443a830b1dc4f85c7560da59d4494b629feee215
https://git.kernel.org/stable/c/586318c2730433184c6f1d21183e346ddf25e81d
https://git.kernel.org/stable/c/64868f5ecadeb359a49bc4485bfa7c497047f13a
https://git.kernel.org/stable/c/8367c0e90126426e60581e4c07e1ec4411a0f843
https://git.kernel.org/stable/c/9c79b839a63980c7da7ec5db895198045e154112
https://git.kernel.org/stable/c/a2cd4b4db315a845a5603d08c9d03b11ddfc799d
https://git.kernel.org/stable/c/ef9b10a020503888eb6c8ed85a3d901a624ede4c
https://git.kernel.org/stable/c/fc393af769af845d9985e2845e49553d8f015a64
https://lore.kernel.org/linux-cve-announce/2026050638-CVE-2026-43180-f0ea@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43180
https://www.cve.org/CVERecord?id=CVE-2026-43180

History

Tue, 12 May 2026 19:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:o:linux:linux_kernel:2.6.12:-:::::: cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:::::: cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:::::: cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:::::: cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:::::: cpe:2.3:o:linux:linux_kernel:2.6.12:rc6:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::

Fri, 08 May 2026 13:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`	cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Thu, 07 May 2026 05:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-753

Thu, 07 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-663
References		https://lore.kernel.org/linux-cve-announce/2026050638-CVE-2026-43180-f0ea@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43180 https://www.cve.org/CVERecord?id=CVE-2026-43180
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Wed, 06 May 2026 14:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-753

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net: usb: kaweth: remove TX queue manipulation in kaweth_set_rx_mode kaweth_set_rx_mode(), the ndo_set_rx_mode callback, calls netif_stop_queue() and netif_wake_queue(). These are TX queue flow control functions unrelated to RX multicast configuration. The premature netif_wake_queue() can re-enable TX while tx_urb is still in-flight, leading to a double usb_submit_urb() on the same URB: kaweth_start_xmit() { netif_stop_queue(); usb_submit_urb(kaweth->tx_urb); } kaweth_set_rx_mode() { netif_stop_queue(); netif_wake_queue(); // wakes TX queue before URB is done } kaweth_start_xmit() { netif_stop_queue(); usb_submit_urb(kaweth->tx_urb); // URB submitted while active } This triggers the WARN in usb_submit_urb(): "URB submitted while active" This is a similar class of bug fixed in rtl8150 by - commit 958baf5eaee3 ("net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast"). Also kaweth_set_rx_mode() is already functionally broken, the real set_rx_mode action is performed by kaweth_async_set_rx_mode(), which in turn is not a no-op only at ndo_open() time.
Title		net: usb: kaweth: remove TX queue manipulation in kaweth_set_rx_mode
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/443a830b1dc4f85c7560da59d4494b629feee215 https://git.kernel.org/stable/c/586318c2730433184c6f1d21183e346ddf25e81d https://git.kernel.org/stable/c/64868f5ecadeb359a49bc4485bfa7c497047f13a https://git.kernel.org/stable/c/8367c0e90126426e60581e4c07e1ec4411a0f843 https://git.kernel.org/stable/c/9c79b839a63980c7da7ec5db895198045e154112 https://git.kernel.org/stable/c/a2cd4b4db315a845a5603d08c9d03b11ddfc799d https://git.kernel.org/stable/c/ef9b10a020503888eb6c8ed85a3d901a624ede4c https://git.kernel.org/stable/c/fc393af769af845d9985e2845e49553d8f015a64

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:27:52.983Z

Updated: 2026-05-11T22:19:23.602Z

Reserved: 2026-05-01T14:12:55.991Z

Link: CVE-2026-43180

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-06T12:16:36.533

Modified: 2026-05-12T19:36:09.967

Link: CVE-2026-43180

Redhat

Severity : Moderate

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43180 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-12T22:15:25Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object