CVE-2026-43427 - Vulnerability Details

- usb: class: cdc-wdm: fix reordering issue in read code path

Description

In the Linux kernel, the following vulnerability has been resolved:

usb: class: cdc-wdm: fix reordering issue in read code path

Quoting the bug report:

Due to compiler optimization or CPU out-of-order execution, the
desc->length update can be reordered before the memmove. If this
happens, wdm_read() can see the new length and call copy_to_user() on
uninitialized memory. This also violates LKMM data race rules [1].

Fix it by using WRITE_ONCE and memory barriers.

Published: 2026-05-08

Score: 7.0 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The CDC‑WDM driver in the Linux kernel contains a reordering bug where the descriptor length is updated before a memcpy operation. If the write to the length field is reordered ahead of the memmove, the read handler may see an incorrect length and then call copy_to_user() on memory that has never been initialized. This causes uninitialized kernel data to be copied into user space, potentially exposing sensitive information or causing a crash. The issue also violates Linux Kernel Memory Model data‑race rules, indicating a concurrency flaw.

Affected Systems

All Linux kernel builds that contain the CDC‑WDM driver and lack the patch from the referenced commits are vulnerable. The advisory does not list exact release numbers, but any kernel version prior to the inclusion of the fix is considered at risk.

Risk and Exploitability

The CVSS score of 7.0 indicates a high severity vulnerability, and the EPSS score is 0.00024, indicating a very low probability of exploitation. The flaw is not listed in the CISA KEV catalog. Exploitation would require an attacker to trigger a CDC‑WDM read operation, so the attack vector is inferred to be local or remote device access. While the flaw does not grant remote code execution, it can lead to information disclosure or a denial‑of‑service condition if the user space copy causes a fault.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`afba937e540c902c989cd516fd97ea0c8499bb27`	affected	< 638328ca9c17ae6511ad62198c57bae32ffa3c91
`afba937e540c902c989cd516fd97ea0c8499bb27`	affected	< 170e8daca24da6edb4be82ab01abf44e87af387b
`afba937e540c902c989cd516fd97ea0c8499bb27`	affected	< c8fa96ed021923dae147bcd9f9205b8df7b82360
`afba937e540c902c989cd516fd97ea0c8499bb27`	affected	< 4ee3062bf2c9a722afef429826e8607eaf3fc6a0
`afba937e540c902c989cd516fd97ea0c8499bb27`	affected	< 276aef0fd2b92f41b920ac891c72cadeee957934
`afba937e540c902c989cd516fd97ea0c8499bb27`	affected	< 67ed312124bb1b61858778ac0b985b48961c862a
`afba937e540c902c989cd516fd97ea0c8499bb27`	affected	< e3c874b05901dc519054b5107d16620e6d2b5fea
`afba937e540c902c989cd516fd97ea0c8499bb27`	affected	< 8df672bfe3ec2268c2636584202755898e547173

Linux

affected

Version	Status	Constraints
`2.6.26`	affected	—
`0`	unaffected	< 2.6.26
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.167`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.78`	unaffected	≤ 6.12.*
`6.18.19`	unaffected	≤ 6.18.*
`6.19.9`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[afba937e540c902c989cd516fd97ea0c8499bb27,638328ca9c17ae6511ad62198c57bae32ffa3c91)`	affected	code_commit	—
`[afba937e540c902c989cd516fd97ea0c8499bb27,170e8daca24da6edb4be82ab01abf44e87af387b)`	affected	code_commit	—
`[afba937e540c902c989cd516fd97ea0c8499bb27,276aef0fd2b92f41b920ac891c72cadeee957934)`	affected	code_commit	—
`[afba937e540c902c989cd516fd97ea0c8499bb27,4ee3062bf2c9a722afef429826e8607eaf3fc6a0)`	affected	code_commit	—
`[afba937e540c902c989cd516fd97ea0c8499bb27,67ed312124bb1b61858778ac0b985b48961c862a)`	affected	code_commit	—
`[afba937e540c902c989cd516fd97ea0c8499bb27,8df672bfe3ec2268c2636584202755898e547173)`	affected	code_commit	—
`[afba937e540c902c989cd516fd97ea0c8499bb27,e3c874b05901dc519054b5107d16620e6d2b5fea)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`2.6.26`	affected	semver	—
`[0,2.6.26)`	unaffected	generic	—
`[5.10.253,5.11.0)`	unaffected	semver	—
`[5.15.203,5.16.0)`	unaffected	semver	—
`[6.1.167,6.2.0)`	unaffected	semver	—
`[6.6.130,6.7.0)`	unaffected	semver	—
`[6.12.78,6.13.0)`	unaffected	semver	—
`[6.18.19,6.19.0)`	unaffected	semver	—
`[6.19.9,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the CDC‑WDM driver fix in the referenced commits.
Reboot or reload the kernel modules so the patched driver is in use.
If an upgrade is not immediately possible, disable or restrict CDC‑WDM device usage until the patch is applied.

Generated by OpenCVE AI on May 9, 2026 at 15:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00024.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/170e8daca24da6edb4be82ab01abf44e87af387b
https://git.kernel.org/stable/c/276aef0fd2b92f41b920ac891c72cadeee957934
https://git.kernel.org/stable/c/4ee3062bf2c9a722afef429826e8607eaf3fc6a0
https://git.kernel.org/stable/c/638328ca9c17ae6511ad62198c57bae32ffa3c91
https://git.kernel.org/stable/c/67ed312124bb1b61858778ac0b985b48961c862a
https://git.kernel.org/stable/c/8df672bfe3ec2268c2636584202755898e547173
https://git.kernel.org/stable/c/c8fa96ed021923dae147bcd9f9205b8df7b82360
https://git.kernel.org/stable/c/e3c874b05901dc519054b5107d16620e6d2b5fea
https://lore.kernel.org/linux-cve-announce/2026050849-CVE-2026-43427-12cc@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43427
https://www.cve.org/CVERecord?id=CVE-2026-43427

History

Sat, 09 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-254

Sat, 09 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-366
References		https://lore.kernel.org/linux-cve-announce/2026050849-CVE-2026-43427-12cc@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43427 https://www.cve.org/CVERecord?id=CVE-2026-43427
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Fri, 08 May 2026 18:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-254

Fri, 08 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: usb: class: cdc-wdm: fix reordering issue in read code path Quoting the bug report: Due to compiler optimization or CPU out-of-order execution, the desc->length update can be reordered before the memmove. If this happens, wdm_read() can see the new length and call copy_to_user() on uninitialized memory. This also violates LKMM data race rules [1]. Fix it by using WRITE_ONCE and memory barriers.
Title		usb: class: cdc-wdm: fix reordering issue in read code path
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/170e8daca24da6edb4be82ab01abf44e87af387b https://git.kernel.org/stable/c/276aef0fd2b92f41b920ac891c72cadeee957934 https://git.kernel.org/stable/c/4ee3062bf2c9a722afef429826e8607eaf3fc6a0 https://git.kernel.org/stable/c/638328ca9c17ae6511ad62198c57bae32ffa3c91 https://git.kernel.org/stable/c/67ed312124bb1b61858778ac0b985b48961c862a https://git.kernel.org/stable/c/8df672bfe3ec2268c2636584202755898e547173 https://git.kernel.org/stable/c/c8fa96ed021923dae147bcd9f9205b8df7b82360 https://git.kernel.org/stable/c/e3c874b05901dc519054b5107d16620e6d2b5fea

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-08T14:22:00.345Z

Updated: 2026-05-08T14:22:00.345Z

Reserved: 2026-05-01T14:12:56.009Z

Link: CVE-2026-43427

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-08T15:16:54.867

Modified: 2026-05-08T15:16:54.867

Link: CVE-2026-43427

Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43427 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-09T16:00:13Z

Weaknesses

CWE-366

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object