Description
In the Linux kernel, the following vulnerability has been resolved:

USB: core: Limit the length of unkillable synchronous timeouts

The usb_control_msg(), usb_bulk_msg(), and usb_interrupt_msg() APIs in
usbcore allow unlimited timeout durations. And since they use
uninterruptible waits, this leaves open the possibility of hanging a
task for an indefinitely long time, with no way to kill it short of
unplugging the target device.

To prevent this sort of problem, enforce a maximum limit on the length
of these unkillable timeouts. The limit chosen here, somewhat
arbitrarily, is 60 seconds. On many systems (although not all) this
is short enough to avoid triggering the kernel's hung-task detector.

In addition, clear up the ambiguity of negative timeout values by
treating them the same as 0, i.e., using the maximum allowed timeout.
Published: 2026-05-08
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel bug allows applications to issue USB control, bulk, or interrupt messages with unlimited timeout values. Because these calls use uninterruptible waits, a caller can inadvertently block a kernel task for an undefined period, potentially forever. The attack can cause resource exhaustion and lock up system services or prevent further task scheduling, effectively denying service for the user on the affected machine. This weakness corresponds to the CWE-770 identifier for unbounded wait loops.

Affected Systems

The vulnerability affects the Linux kernel across all distributions and releases that have not yet implemented the 60‑second timeout cap introduced by the patch. The vendor/product information supplied in the CNA lists the product simply as Linux: Linux, matching the generic kernel. Therefore, all Linux kernel devices that rely on the usb_control_msg(), usb_bulk_msg(), or usb_interrupt_msg() APIs and lack the timeout restriction are potentially impacted until the fix is applied.

Risk and Exploitability

The EPSS score of < 1% indicates an extremely low probability of exploitation. The vulnerability is not listed in CISA's KEV catalog, further suggesting it is not a known widely exploited issue. Nonetheless, with a CVSS score of 5.5 the impact of an exploitation event could deny services locally if a user can invoke the affected USB APIs. The attack requires local USB device access and the ability to call the USB synchronous functions from user space, making it relevant primarily in environments that frequently communicate with USB hardware.

Generated by OpenCVE AI on May 9, 2026 at 15:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that implements the 60‑second timeout limit for USB synchronous messages.
  • If a kernel upgrade cannot be applied immediately, isolate critical USB traffic by disabling the USB controller during high‑availability periods or removing the device and re‑adding it when possible.
  • Monitor kernel logs for “hung task” warnings to confirm that blocking delays no longer occur after applying the patch.

Generated by OpenCVE AI on May 9, 2026 at 15:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Sat, 09 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Fri, 08 May 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: USB: core: Limit the length of unkillable synchronous timeouts The usb_control_msg(), usb_bulk_msg(), and usb_interrupt_msg() APIs in usbcore allow unlimited timeout durations. And since they use uninterruptible waits, this leaves open the possibility of hanging a task for an indefinitely long time, with no way to kill it short of unplugging the target device. To prevent this sort of problem, enforce a maximum limit on the length of these unkillable timeouts. The limit chosen here, somewhat arbitrarily, is 60 seconds. On many systems (although not all) this is short enough to avoid triggering the kernel's hung-task detector. In addition, clear up the ambiguity of negative timeout values by treating them the same as 0, i.e., using the maximum allowed timeout.
Title USB: core: Limit the length of unkillable synchronous timeouts
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-08T14:22:01.027Z

Reserved: 2026-05-01T14:12:56.009Z

Link: CVE-2026-43428

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T15:16:54.990

Modified: 2026-05-08T15:16:54.990

Link: CVE-2026-43428

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43428 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T16:00:13Z

Weaknesses