CVE-2026-43425 - Vulnerability Details

- usb: image: mdc800: kill download URB on timeout

Description

In the Linux kernel, the following vulnerability has been resolved:

usb: image: mdc800: kill download URB on timeout

mdc800_device_read() submits download_urb and waits for completion.
If the timeout fires and the device has not responded, the function
returns without killing the URB, leaving it active.

A subsequent read() resubmits the same URB while it is still
in-flight, triggering the WARN in usb_submit_urb():

"URB submitted while active"

Check the return value of wait_event_timeout() and kill the URB if
it indicates timeout, ensuring the URB is complete before its status
is inspected or the URB is resubmitted.

Similar to
- commit 372c93131998 ("USB: yurex: fix control-URB timeout handling")
- commit b98d5000c505 ("media: rc: iguanair: handle timeouts")

Published: 2026-05-08

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The mdc800 USB driver has a flaw where a download URB is not cancelled after a timeout. As a result, the driver may leave an active URB in the system, and a subsequent read() will attempt to resubmit the same URB. This triggers the kernel warning "URB submitted while active" and indicates that resources that should have been released remain allocated, potentially leading to a resource leak within the USB subsystem. The flaw is associated with the CWE-400 category of uncontrolled resource consumption.

Affected Systems

All Linux kernel builds that contain the unpatched mdc800 driver are affected. This includes any kernel that has not integrated the patch commit adding timeout handling. No specific kernel version is listed, so all kernels compiled with the vulnerable code prior to the fix are included.

Risk and Exploitability

The flaw appears to require local access to a USB mdc800 device that does not respond. No public exploit code is known, and the vulnerability is not listed in the CISA KEV catalog. The EPSS score is not available, so the likelihood of exploitation remains uncertain. In a scenario where an attacker can supply a non‑responsive USB device, the warning could be repeatedly triggered, but no direct denial‑of‑service impact has been documented.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 9fa5a49760979ba016506fe292a431c8b83f043e
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 15536f6c15f48037a1672cbdea53266d67861ff6
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 9bf877cc67309b2a063b0087c3ad8585fb11cec3
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 155f471e38aa516f6c58c2ae03ca3dc222fa2fdb
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< d4a400a6a4c4d49f77a04a3f401df5ae1a10657c
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< b7fed917f84e484e06c5e9926746d0b524e3a93e
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< cc7398447810c9450c90d092efe9997569f8d96f
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 1be3b77de4eb89af8ae2fd6610546be778e25589

Linux

affected

Version	Status	Constraints
`2.6.12`	affected	—
`0`	unaffected	< 2.6.12
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.167`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.78`	unaffected	≤ 6.12.*
`6.18.19`	unaffected	≤ 6.18.*
`6.19.9`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,9fa5a49760979ba016506fe292a431c8b83f043e)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,15536f6c15f48037a1672cbdea53266d67861ff6)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,9bf877cc67309b2a063b0087c3ad8585fb11cec3)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,155f471e38aa516f6c58c2ae03ca3dc222fa2fdb)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,d4a400a6a4c4d49f77a04a3f401df5ae1a10657c)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,b7fed917f84e484e06c5e9926746d0b524e3a93e)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,cc7398447810c9450c90d092efe9997569f8d96f)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,1be3b77de4eb89af8e2fd6610546be778e25589)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[5.10.253,5.11.0)`	unaffected	semver	—
`[5.15.203,5.16.0)`	unaffected	semver	—
`[6.1.167,6.2.0)`	unaffected	semver	—
`[6.6.130,6.7.0)`	unaffected	semver	—
`[6.12.78,6.13.0)`	unaffected	semver	—
`[6.18.19,6.19.0)`	unaffected	semver	—
`[6.19.9,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a kernel update that includes the mdc800 driver timeout fix.
If an update is not immediately available, disable or unload the mdc800 driver from the kernel configuration.
Continuously monitor system logs for the "URB submitted while active" warning to verify that the issue no longer occurs.

Generated by OpenCVE AI on May 8, 2026 at 20:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00024.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/15536f6c15f48037a1672cbdea53266d67861ff6
https://git.kernel.org/stable/c/155f471e38aa516f6c58c2ae03ca3dc222fa2fdb
https://git.kernel.org/stable/c/1be3b77de4eb89af8ae2fd6610546be778e25589
https://git.kernel.org/stable/c/9bf877cc67309b2a063b0087c3ad8585fb11cec3
https://git.kernel.org/stable/c/9fa5a49760979ba016506fe292a431c8b83f043e
https://git.kernel.org/stable/c/b7fed917f84e484e06c5e9926746d0b524e3a93e
https://git.kernel.org/stable/c/cc7398447810c9450c90d092efe9997569f8d96f
https://git.kernel.org/stable/c/d4a400a6a4c4d49f77a04a3f401df5ae1a10657c

History

Fri, 08 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: usb: image: mdc800: kill download URB on timeout mdc800_device_read() submits download_urb and waits for completion. If the timeout fires and the device has not responded, the function returns without killing the URB, leaving it active. A subsequent read() resubmits the same URB while it is still in-flight, triggering the WARN in usb_submit_urb(): "URB submitted while active" Check the return value of wait_event_timeout() and kill the URB if it indicates timeout, ensuring the URB is complete before its status is inspected or the URB is resubmitted. Similar to - commit 372c93131998 ("USB: yurex: fix control-URB timeout handling") - commit b98d5000c505 ("media: rc: iguanair: handle timeouts")
Title		usb: image: mdc800: kill download URB on timeout
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/15536f6c15f48037a1672cbdea53266d67861ff6 https://git.kernel.org/stable/c/155f471e38aa516f6c58c2ae03ca3dc222fa2fdb https://git.kernel.org/stable/c/1be3b77de4eb89af8ae2fd6610546be778e25589 https://git.kernel.org/stable/c/9bf877cc67309b2a063b0087c3ad8585fb11cec3 https://git.kernel.org/stable/c/9fa5a49760979ba016506fe292a431c8b83f043e https://git.kernel.org/stable/c/b7fed917f84e484e06c5e9926746d0b524e3a93e https://git.kernel.org/stable/c/cc7398447810c9450c90d092efe9997569f8d96f https://git.kernel.org/stable/c/d4a400a6a4c4d49f77a04a3f401df5ae1a10657c

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-08T14:21:59.020Z

Updated: 2026-05-09T04:10:55.876Z

Reserved: 2026-05-01T14:12:56.009Z

Link: CVE-2026-43425

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-08T15:16:54.620

Modified: 2026-05-08T15:16:54.620

Link: CVE-2026-43425

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-08T21:30:05Z

Weaknesses

No weakness.

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object