CVE-2026-43180
EUVD-2026-2774006.05.2026, 12:16
In the Linux kernel, the following vulnerability has been resolved:
net: usb: kaweth: remove TX queue manipulation in kaweth_set_rx_mode
kaweth_set_rx_mode(), the ndo_set_rx_mode callback, calls
netif_stop_queue() and netif_wake_queue(). These are TX queue flow
control functions unrelated to RX multicast configuration.
The premature netif_wake_queue() can re-enable TX while tx_urb is still
in-flight, leading to a double usb_submit_urb() on the same URB:
kaweth_start_xmit() {
netif_stop_queue();
usb_submit_urb(kaweth->tx_urb);
}
kaweth_set_rx_mode() {
netif_stop_queue();
netif_wake_queue(); // wakes TX queue before URB is done
}
kaweth_start_xmit() {
netif_stop_queue();
usb_submit_urb(kaweth->tx_urb); // URB submitted while active
}
This triggers the WARN in usb_submit_urb():
"URB submitted while active"
This is a similar class of bug fixed in rtl8150 by
- commit 958baf5eaee3 ("net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast").
Also kaweth_set_rx_mode() is already functionally broken, the
real set_rx_mode action is performed by kaweth_async_set_rx_mode(),
which in turn is not a no-op only at ndo_open() time.EnginsightAffected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| linux | linux_kernel | 2.6.12.1 ≤ 𝑥 < 5.10.252 |
| linux | linux_kernel | 5.11 ≤ 𝑥 < 5.15.202 |
| linux | linux_kernel | 5.16 ≤ 𝑥 < 6.1.165 |
| linux | linux_kernel | 6.2 ≤ 𝑥 < 6.6.128 |
| linux | linux_kernel | 6.7 ≤ 𝑥 < 6.12.75 |
| linux | linux_kernel | 6.13 ≤ 𝑥 < 6.18.16 |
| linux | linux_kernel | 6.19 ≤ 𝑥 < 6.19.6 |
| linux | linux_kernel | 2.6.12 |
| linux | linux_kernel | 2.6.12:rc2 |
| linux | linux_kernel | 2.6.12:rc3 |
| linux | linux_kernel | 2.6.12:rc4 |
| linux | linux_kernel | 2.6.12:rc5 |
| linux | linux_kernel | 2.6.12:rc6 |
| linux | linux_kernel | 7.0:rc1 |
𝑥
= Vulnerable software versions
Debian Releases
Vulnerability Media Exposure
References