GHSA-GQ4C-7253-Q3CG

Vulnerability from github – Published: 2026-05-06 12:30 – Updated: 2026-05-08 15:31
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

net: usb: kaweth: remove TX queue manipulation in kaweth_set_rx_mode

kaweth_set_rx_mode(), the ndo_set_rx_mode callback, calls netif_stop_queue() and netif_wake_queue(). These are TX queue flow control functions unrelated to RX multicast configuration.

The premature netif_wake_queue() can re-enable TX while tx_urb is still in-flight, leading to a double usb_submit_urb() on the same URB:

kaweth_start_xmit() { netif_stop_queue(); usb_submit_urb(kaweth->tx_urb); }

kaweth_set_rx_mode() { netif_stop_queue(); netif_wake_queue(); // wakes TX queue before URB is done }

kaweth_start_xmit() { netif_stop_queue(); usb_submit_urb(kaweth->tx_urb); // URB submitted while active }

This triggers the WARN in usb_submit_urb():

"URB submitted while active"

This is a similar class of bug fixed in rtl8150 by

  • commit 958baf5eaee3 ("net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast").

Also kaweth_set_rx_mode() is already functionally broken, the real set_rx_mode action is performed by kaweth_async_set_rx_mode(), which in turn is not a no-op only at ndo_open() time.

Severity ?
7.8 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2026-43180"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-06T12:16:36Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: kaweth: remove TX queue manipulation in kaweth_set_rx_mode\n\nkaweth_set_rx_mode(), the ndo_set_rx_mode callback, calls\nnetif_stop_queue() and netif_wake_queue(). These are TX queue flow\ncontrol functions unrelated to RX multicast configuration.\n\nThe premature netif_wake_queue() can re-enable TX while tx_urb is still\nin-flight, leading to a double usb_submit_urb() on the same URB:\n\nkaweth_start_xmit() {\n    netif_stop_queue();\n    usb_submit_urb(kaweth-\u003etx_urb);\n}\n\nkaweth_set_rx_mode() {\n    netif_stop_queue();\n    netif_wake_queue();             // wakes TX queue before URB is done\n}\n\nkaweth_start_xmit() {\n    netif_stop_queue();\n    usb_submit_urb(kaweth-\u003etx_urb); // URB submitted while active\n}\n\nThis triggers the WARN in usb_submit_urb():\n\n  \"URB submitted while active\"\n\nThis is a similar class of bug fixed in rtl8150 by\n\n- commit 958baf5eaee3 (\"net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast\").\n\nAlso kaweth_set_rx_mode() is already functionally broken, the\nreal set_rx_mode action is performed by kaweth_async_set_rx_mode(),\nwhich in turn is not a no-op only at ndo_open() time.",
  "id": "GHSA-gq4c-7253-q3cg",
  "modified": "2026-05-08T15:31:16Z",
  "published": "2026-05-06T12:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43180"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/443a830b1dc4f85c7560da59d4494b629feee215"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/586318c2730433184c6f1d21183e346ddf25e81d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/64868f5ecadeb359a49bc4485bfa7c497047f13a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8367c0e90126426e60581e4c07e1ec4411a0f843"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9c79b839a63980c7da7ec5db895198045e154112"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a2cd4b4db315a845a5603d08c9d03b11ddfc799d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ef9b10a020503888eb6c8ed85a3d901a624ede4c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fc393af769af845d9985e2845e49553d8f015a64"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.