CVE-2026-43429 - Vulnerability Details

- USB: usbtmc: Use usb_bulk_msg_killable() with user-specified timeouts

Description

In the Linux kernel, the following vulnerability has been resolved:

USB: usbtmc: Use usb_bulk_msg_killable() with user-specified timeouts

The usbtmc driver accepts timeout values specified by the user in an
ioctl command, and uses these timeouts for some usb_bulk_msg() calls.
Since the user can specify arbitrarily long timeouts and
usb_bulk_msg() uses unkillable waits, call usb_bulk_msg_killable()
instead to avoid the possibility of the user hanging a kernel thread
indefinitely.

Published: 2026-05-08

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The usbtmc driver in the Linux kernel accepts a timeout value from a user via an ioctl call and passes that value directly to usb_bulk_msg(). Because usb_bulk_msg() performs an unkillable wait, an attacker can supply an excessively large timeout, causing a kernel thread to block indefinitely. This creates a denial‑of‑service condition that can stall kernel activity and potentially exhaust system resources.

Affected Systems

The vulnerable driver exists in all Linux kernel releases before the fix, affecting any system that exposes the usbtmc device interface and permits ioctl timeout manipulation.

Risk and Exploitability

The EPSS score of <1% indicates a very low probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog; the CVSS score of 5.5 indicates a medium‑severity risk due to the potential for a local attacker to hang a kernel thread. The attack vector is local; a user with access to the usbtmc device and the ability to issue the ioctl can trigger the hang. Exploitation requires the attacker to run code that can open the device and send the specified ioctl. Once executed, the kernel thread remains busy until the timeout expires, causing a service interruption for the entire system.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`048c6d88a0214757926f264823829e79154fcd4f`	affected	< e14a0dcdf468c3ad616bb06696c7c64c36e736d8
`048c6d88a0214757926f264823829e79154fcd4f`	affected	< 7fa72c369c23c27d1f64883c1e276af950557fb1
`048c6d88a0214757926f264823829e79154fcd4f`	affected	< 72c0a063489be183cfb99e7050aaef503bdb6449
`048c6d88a0214757926f264823829e79154fcd4f`	affected	< 39bd4097292fd8564cf2cfba9356f8ab11e38d12
`048c6d88a0214757926f264823829e79154fcd4f`	affected	< 0535f84cb94c9d8bcba0a2a5b3fac81b7d97235d
`048c6d88a0214757926f264823829e79154fcd4f`	affected	< 6cb7dc91f057dd8ce44f6caa2995d8e22784ed0a
`048c6d88a0214757926f264823829e79154fcd4f`	affected	< d4f1c45bdff3f393f9ab7e76795901c442b9eb76
`048c6d88a0214757926f264823829e79154fcd4f`	affected	< 7784caa413a89487dd14dd5c41db8753483b2acb

Linux

affected

Version	Status	Constraints
`4.19`	affected	—
`0`	unaffected	< 4.19
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.167`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.78`	unaffected	≤ 6.12.*
`6.18.19`	unaffected	≤ 6.18.*
`6.19.9`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[048c6d88a0214757926f264823829e79154fcd4f,e14a0dcdf468c3ad616bb06696c7c64c36e736d8)`	affected	code_commit	—
`[048c6d88a0214757926f264823829e79154fcd4f,7fa72c369c23c27d1f64883c1e276af950557fb1)`	affected	code_commit	—
`[048c6d88a0214757926f264823829e79154fcd4f,72c0a063489be183cfb99e7050aaef503bdb6449)`	affected	code_commit	—
`[048c6d88a0214757926f264823829e79154fcd4f,39bd4097292fd8564cf2cfba9356f8ab11e38d12)`	affected	code_commit	—
`[048c6d88a0214757926f264823829e79154fcd4f,0535f84cb94c9d8cba0a2a5b3fac81b7d97235d)`	affected	code_commit	—
`[048c6d88a0214757926f264823829e79154fcd4f,6cb7dc91f057dd8ce44f6caa2995d8e22784ed0a)`	affected	code_commit	—
`[048c6d88a0214757926f264823829e79154fcd4f,d4f1c45bdff3f393f9ab7e76795901c442b9eb76)`	affected	code_commit	—
`[048c6d88a0214757926f264823829e79154fcd4f,7784caa413a89487dd14dd5c41db8753483b2acb)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`4.19`	affected	generic	—
`[0,4.19)`	unaffected	semver	—
`[5.10.253,5.11.0)`	unaffected	semver	—
`[5.15.203,5.16.0)`	unaffected	semver	—
`[6.1.167,6.2.0)`	unaffected	semver	—
`[6.6.130,6.7.0)`	unaffected	semver	—
`[6.12.78,6.13.0)`	unaffected	semver	—
`[6.18.19,6.19.0)`	unaffected	semver	—
`[6.19.9,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Linux kernel update that implements usb_bulk_msg_killable() in the usbtmc driver.
If an immediate kernel update is not possible, restrict access to the usbtmc device by setting appropriate file permissions or using udev rules to limit ioctl usage to trusted users only.
Monitor the kernel logs for patterns of prolonged usbtmc operations and reboot the system if a kernel thread remains blocked for an unusually long period.

Generated by OpenCVE AI on May 9, 2026 at 15:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00024.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0535f84cb94c9d8bcba0a2a5b3fac81b7d97235d
https://git.kernel.org/stable/c/39bd4097292fd8564cf2cfba9356f8ab11e38d12
https://git.kernel.org/stable/c/6cb7dc91f057dd8ce44f6caa2995d8e22784ed0a
https://git.kernel.org/stable/c/72c0a063489be183cfb99e7050aaef503bdb6449
https://git.kernel.org/stable/c/7784caa413a89487dd14dd5c41db8753483b2acb
https://git.kernel.org/stable/c/7fa72c369c23c27d1f64883c1e276af950557fb1
https://git.kernel.org/stable/c/d4f1c45bdff3f393f9ab7e76795901c442b9eb76
https://git.kernel.org/stable/c/e14a0dcdf468c3ad616bb06696c7c64c36e736d8
https://lore.kernel.org/linux-cve-announce/2026050850-CVE-2026-43429-70a3@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43429
https://www.cve.org/CVERecord?id=CVE-2026-43429

History

Sat, 09 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-400

Sat, 09 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026050850-CVE-2026-43429-70a3@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43429 https://www.cve.org/CVERecord?id=CVE-2026-43429
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Fri, 08 May 2026 18:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-400 CWE-770

Fri, 08 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: USB: usbtmc: Use usb_bulk_msg_killable() with user-specified timeouts The usbtmc driver accepts timeout values specified by the user in an ioctl command, and uses these timeouts for some usb_bulk_msg() calls. Since the user can specify arbitrarily long timeouts and usb_bulk_msg() uses unkillable waits, call usb_bulk_msg_killable() instead to avoid the possibility of the user hanging a kernel thread indefinitely.
Title		USB: usbtmc: Use usb_bulk_msg_killable() with user-specified timeouts
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0535f84cb94c9d8bcba0a2a5b3fac81b7d97235d https://git.kernel.org/stable/c/39bd4097292fd8564cf2cfba9356f8ab11e38d12 https://git.kernel.org/stable/c/6cb7dc91f057dd8ce44f6caa2995d8e22784ed0a https://git.kernel.org/stable/c/72c0a063489be183cfb99e7050aaef503bdb6449 https://git.kernel.org/stable/c/7784caa413a89487dd14dd5c41db8753483b2acb https://git.kernel.org/stable/c/7fa72c369c23c27d1f64883c1e276af950557fb1 https://git.kernel.org/stable/c/d4f1c45bdff3f393f9ab7e76795901c442b9eb76 https://git.kernel.org/stable/c/e14a0dcdf468c3ad616bb06696c7c64c36e736d8

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-08T14:22:01.739Z

Updated: 2026-05-08T14:22:01.739Z

Reserved: 2026-05-01T14:12:56.009Z

Link: CVE-2026-43429

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-08T15:16:55.117

Modified: 2026-05-08T15:16:55.117

Link: CVE-2026-43429

Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43429 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-09T16:00:13Z

Weaknesses

CWE-770

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object