CVE-2026-43255 - Vulnerability Details

- wifi: libertas: fix WARNING in usb_tx_block

Description

In the Linux kernel, the following vulnerability has been resolved:

wifi: libertas: fix WARNING in usb_tx_block

The function usb_tx_block() submits cardp->tx_urb without ensuring that
any previous transmission on this URB has completed. If a second call
occurs while the URB is still active (e.g. during rapid firmware loading),
usb_submit_urb() detects the active state and triggers a warning:
'URB submitted while active'.

Fix this by enforcing serialization: call usb_kill_urb() before
submitting the new request. This ensures the URB is idle and safe to reuse.

Published: 2026-05-06

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The libertas Wi‑Fi driver in the Linux kernel contains a flaw in the usb_tx_block routine: it submits a USB request block (URB) without first confirming that a previous transmission on that URB has completed. When a second call occurs while the URB remains active, usb_submit_urb triggers the warning 'URB submitted while active.' This warning reflects a lack of proper serialization of USB traffic and can lead to driver instability or a denial of service if the situation repeats during rapid firmware loads or sustained USB activity. No crash or data corruption is explicitly documented; the impact is limited to potential disruption of the wireless adapter’s operation.

Affected Systems

Any Linux kernel that ships the unpatched libertas Wi‑Fi driver is affected. The advisory does not specify exact kernel revisions, so all distributions or custom kernels containing the libertas module without the commit that adds usb_kill_urb before each usb_submit_urb may be vulnerable. The only vendor listed is Linux.

Risk and Exploitability

The CVSS score of 5.5 coupled with an EPSS score below 1 % indicates moderate severity but a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, and no public exploits are known. Attackers would need local or device‑level access to trigger the condition, for example by rapidly reloading firmware or forcing many USB transfers, which could cause driver instability. In practice, the risk remains confined to repeated warning logs and the potential for intermittent wireless connectivity loss.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`876c9d3aeb989cf1961f2c228d309ba5dcfb1172`	affected	< 498525d8358d6d20918787e59736d5b6a021e9fd
`876c9d3aeb989cf1961f2c228d309ba5dcfb1172`	affected	< 2902a9b4415a6bafc9b1e5dd360f065d757a0bb7
`876c9d3aeb989cf1961f2c228d309ba5dcfb1172`	affected	< 948a39c95d0f8d73722910f8cdb7b6e3e9206232
`876c9d3aeb989cf1961f2c228d309ba5dcfb1172`	affected	< 5bfb25495e391a1be0db94b15715174fa06b93a1
`876c9d3aeb989cf1961f2c228d309ba5dcfb1172`	affected	< b82073564373e68c6ae3a96039fae14cd002a496
`876c9d3aeb989cf1961f2c228d309ba5dcfb1172`	affected	< 3308c7504e093b22e91a4468470309cee2e26b83
`876c9d3aeb989cf1961f2c228d309ba5dcfb1172`	affected	< fc188b44547dea4e7350833171982a6312befde9
`876c9d3aeb989cf1961f2c228d309ba5dcfb1172`	affected	< d66676e6ca96bf8680f869a9bd6573b26c634622

Linux

affected

Version	Status	Constraints
`2.6.22`	affected	—
`0`	unaffected	< 2.6.22
`5.10.252`	unaffected	≤ 5.10.*
`5.15.202`	unaffected	≤ 5.15.*
`6.1.165`	unaffected	≤ 6.1.*
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,498525d8358d6d20918787e59736d5b6a021e9fd)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,2902a9b4415a6bafc9b1e5dd360f065d757a0bb7)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,948a39c95d0f8d73722910f8cdb7b6e3e9206232)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,5bfb25495e391a1be0db94b15715174fa06b93a1)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,b82073564373e68c6ae3a96039fae14cd002a496)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,3308c7504e093b22e91a4468470309cee2e26b83)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,fc188b44547dea4e7350833171982a6312befde9)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,d66676e6ca96bf8680f869a9bd6573b26c634622)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[5.10.252,5.11.0)`	unaffected	semver	—
`[5.15.202,5.16.0)`	unaffected	semver	—
`[6.1.165,6.2.0)`	unaffected	semver	—
`[6.6.128,6.7.0)`	unaffected	semver	—
`[6.12.75,6.13.0)`	unaffected	semver	—
`[6.18.16,6.19.0)`	unaffected	semver	—
`[6.19.6,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the kernel patch that inserts usb_kill_urb before each usb_submit_urb in usb_tx_block, or upgrade to a Linux kernel version that already includes the fix.
Reload the libertas Wi‑Fi module or reboot the system to load the patched driver.
If possible, update the wireless adapter firmware to avoid rapid firmware re‑loading scenarios, or monitor system logs for the 'URB submitted while active' warning to detect repeated incidents.

Generated by OpenCVE AI on May 11, 2026 at 22:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/2902a9b4415a6bafc9b1e5dd360f065d757a0bb7
https://git.kernel.org/stable/c/3308c7504e093b22e91a4468470309cee2e26b83
https://git.kernel.org/stable/c/498525d8358d6d20918787e59736d5b6a021e9fd
https://git.kernel.org/stable/c/5bfb25495e391a1be0db94b15715174fa06b93a1
https://git.kernel.org/stable/c/948a39c95d0f8d73722910f8cdb7b6e3e9206232
https://git.kernel.org/stable/c/b82073564373e68c6ae3a96039fae14cd002a496
https://git.kernel.org/stable/c/d66676e6ca96bf8680f869a9bd6573b26c634622
https://git.kernel.org/stable/c/fc188b44547dea4e7350833171982a6312befde9
https://lore.kernel.org/linux-cve-announce/2026050605-CVE-2026-43255-d0bf@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43255
https://www.cve.org/CVERecord?id=CVE-2026-43255

History

Mon, 11 May 2026 20:45:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-362

Mon, 11 May 2026 18:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Thu, 07 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026050605-CVE-2026-43255-d0bf@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43255 https://www.cve.org/CVERecord?id=CVE-2026-43255

Wed, 06 May 2026 17:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-362

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: wifi: libertas: fix WARNING in usb_tx_block The function usb_tx_block() submits cardp->tx_urb without ensuring that any previous transmission on this URB has completed. If a second call occurs while the URB is still active (e.g. during rapid firmware loading), usb_submit_urb() detects the active state and triggers a warning: 'URB submitted while active'. Fix this by enforcing serialization: call usb_kill_urb() before submitting the new request. This ensures the URB is idle and safe to reuse.
Title		wifi: libertas: fix WARNING in usb_tx_block
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/2902a9b4415a6bafc9b1e5dd360f065d757a0bb7 https://git.kernel.org/stable/c/3308c7504e093b22e91a4468470309cee2e26b83 https://git.kernel.org/stable/c/498525d8358d6d20918787e59736d5b6a021e9fd https://git.kernel.org/stable/c/5bfb25495e391a1be0db94b15715174fa06b93a1 https://git.kernel.org/stable/c/948a39c95d0f8d73722910f8cdb7b6e3e9206232 https://git.kernel.org/stable/c/b82073564373e68c6ae3a96039fae14cd002a496 https://git.kernel.org/stable/c/d66676e6ca96bf8680f869a9bd6573b26c634622 https://git.kernel.org/stable/c/fc188b44547dea4e7350833171982a6312befde9

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:28:44.522Z

Updated: 2026-05-11T22:21:00.707Z

Reserved: 2026-05-01T14:12:55.996Z

Link: CVE-2026-43255

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-06T12:16:46.263

Modified: 2026-05-11T18:18:36.687

Link: CVE-2026-43255

Redhat

Severity :

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43255 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-11T22:30:08Z

Weaknesses

NVD-CWE-noinfo

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object