Description
In the Linux kernel, the following vulnerability has been resolved:

USB: core: Limit the length of unkillable synchronous timeouts

The usb_control_msg(), usb_bulk_msg(), and usb_interrupt_msg() APIs in
usbcore allow unlimited timeout durations. And since they use
uninterruptible waits, this leaves open the possibility of hanging a
task for an indefinitely long time, with no way to kill it short of
unplugging the target device.

To prevent this sort of problem, enforce a maximum limit on the length
of these unkillable timeouts. The limit chosen here, somewhat
arbitrarily, is 60 seconds. On many systems (although not all) this
is short enough to avoid triggering the kernel's hung-task detector.

In addition, clear up the ambiguity of negative timeout values by
treating them the same as 0, i.e., using the maximum allowed timeout.
Published: 2026-05-08
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel bug allows applications to issue USB control, bulk, or interrupt messages with unlimited timeout values. Because these calls use uninterruptible waits, a caller can inadvertently block a kernel task for an undefined period, potentially forever. This can lead to resource exhaustion and lock up system services or prevent further task scheduling, effectively denying service for the user on the affected machine. The weakness corresponds to CWE-770 for unbounded wait loops.

Affected Systems

The vendor/product listed is Linux: Linux, representing the generic Linux kernel. The bug affects all kernel releases that lack the 60‑second timeout cap introduced by the patch. Based on the description of the fix, it is inferred that any kernel version preceding the commit that added the timeout limit is vulnerable, regardless of distribution or distribution version.

Risk and Exploitability

The EPSS score of < 1% indicates an extremely low probability of exploitation. The vulnerability is not listed in CISA's KEV catalog, further suggesting it is not a known widely exploited issue. With a CVSS score of 5.5, the impact of an exploitation event could deny services locally. The likely attack vector requires local USB device access and the ability to invoke the affected USB synchronous functions from user space, making it most relevant in environments that frequently communicate with USB hardware.

Generated by OpenCVE AI on May 20, 2026 at 19:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that implements the 60‑second timeout limit for USB synchronous messages.
  • If a kernel upgrade cannot be applied immediately, isolate critical USB traffic by disabling the USB controller during high‑availability periods or removing the device and re‑adding it when possible.
  • Monitor kernel logs for “hung task” warnings to confirm that blocking delays no longer occur after applying the patch.

Generated by OpenCVE AI on May 20, 2026 at 19:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4606-1 linux security update
History

Wed, 20 May 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*

Sat, 09 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Sat, 09 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Fri, 08 May 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: USB: core: Limit the length of unkillable synchronous timeouts The usb_control_msg(), usb_bulk_msg(), and usb_interrupt_msg() APIs in usbcore allow unlimited timeout durations. And since they use uninterruptible waits, this leaves open the possibility of hanging a task for an indefinitely long time, with no way to kill it short of unplugging the target device. To prevent this sort of problem, enforce a maximum limit on the length of these unkillable timeouts. The limit chosen here, somewhat arbitrarily, is 60 seconds. On many systems (although not all) this is short enough to avoid triggering the kernel's hung-task detector. In addition, clear up the ambiguity of negative timeout values by treating them the same as 0, i.e., using the maximum allowed timeout.
Title USB: core: Limit the length of unkillable synchronous timeouts
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:24:24.020Z

Reserved: 2026-05-01T14:12:56.009Z

Link: CVE-2026-43428

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T15:16:54.990

Modified: 2026-05-20T18:26:17.250

Link: CVE-2026-43428

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43428 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T20:00:12Z

Weaknesses