Description
In the Linux kernel, the following vulnerability has been resolved:

usb: image: mdc800: kill download URB on timeout

mdc800_device_read() submits download_urb and waits for completion.
If the timeout fires and the device has not responded, the function
returns without killing the URB, leaving it active.

A subsequent read() resubmits the same URB while it is still
in-flight, triggering the WARN in usb_submit_urb():

"URB submitted while active"

Check the return value of wait_event_timeout() and kill the URB if
it indicates timeout, ensuring the URB is complete before its status
is inspected or the URB is resubmitted.

Similar to
- commit 372c93131998 ("USB: yurex: fix control-URB timeout handling")
- commit b98d5000c505 ("media: rc: iguanair: handle timeouts")
Published: 2026-05-08
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel mdc800 USB driver contains a flaw where a download URB is not cancelled after a timeout. When the device does not respond, the driver leaves the URB active; a subsequent read() resubmits the same URB and triggers the kernel warning 'URB submitted while active'. This indicates that resources expected to be freed remain allocated, creating a potential resource leak within the USB subsystem. The weakness is classified as CWE‑366.

Affected Systems

All Linux kernel builds that include the unpatched mdc800 driver are affected. The affected products are any kernels compiled against the vulnerable code before the fix commit that adds timeout handling, spanning historic releases such as 2.6.x and recent 7.x release candidates., as identified by the CPE list provided.

Risk and Exploitability

The CVSS score of 5.5 shows moderate severity, and the EPSS score is less than 1%, indicating a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The required environment for an exploit is not explicitly described in the advisory, but based on the driver’s behavior it is inferred that a local USB mdc800 device must be present to trigger the timeout scenario. No public exploit code is known, and the impact is limited to a kernel warning and potential resource consumption."

Generated by OpenCVE AI on May 20, 2026 at 19:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a version that contains the fix commit adding proper timeout handling for the mdc800 driver.
  • If an update cannot be applied immediately, disable or remove the mdc800 USB driver from the kernel configuration to avoid the trigger.
  • Continuously monitor system logs for the "URB submitted while active" warning to confirm the issue has been resolved.

Generated by OpenCVE AI on May 20, 2026 at 19:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4606-1 linux security update
History

Wed, 20 May 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*

Tue, 12 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-366
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: usb: image: mdc800: kill download URB on timeout mdc800_device_read() submits download_urb and waits for completion. If the timeout fires and the device has not responded, the function returns without killing the URB, leaving it active. A subsequent read() resubmits the same URB while it is still in-flight, triggering the WARN in usb_submit_urb(): "URB submitted while active" Check the return value of wait_event_timeout() and kill the URB if it indicates timeout, ensuring the URB is complete before its status is inspected or the URB is resubmitted. Similar to - commit 372c93131998 ("USB: yurex: fix control-URB timeout handling") - commit b98d5000c505 ("media: rc: iguanair: handle timeouts")
Title usb: image: mdc800: kill download URB on timeout
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:24:20.496Z

Reserved: 2026-05-01T14:12:56.009Z

Link: CVE-2026-43425

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T15:16:54.620

Modified: 2026-05-20T18:35:46.093

Link: CVE-2026-43425

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43425 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T20:00:12Z

Weaknesses