VYPR
← All advisories
Medium severity5.5NVD Advisory· Published May 6, 2026· Updated May 13, 2026

CVE-2026-43170

CVE-2026-43170

Description

In the Linux kernel, the following vulnerability has been resolved:

usb: dwc3: gadget: Move vbus draw to workqueue context

Currently dwc3_gadget_vbus_draw() can be called from atomic context, which in turn invokes power-supply-core APIs. And some these PMIC APIs have operations that may sleep, leading to kernel panic.

Fix this by moving the vbus_draw into a workqueue context.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A Linux kernel vulnerability in the dwc3 USB gadget driver allows a kernel panic when vbus_draw is called from atomic context.

Vulnerability

The Linux kernel's dwc3 USB gadget driver contains a bug in the dwc3_gadget_vbus_draw() function. This function can be invoked from atomic context, but it calls power-supply-core APIs that may perform sleeping operations. This mismatch leads to a kernel panic when the driver attempts to draw VBUS power from a PMIC that requires sleeping operations.

Exploitation

An attacker with local access to the system can trigger this vulnerability by causing the USB gadget driver to call dwc3_gadget_vbus_draw() from an atomic context. This could occur during USB state transitions or gadget configuration changes. No special privileges beyond local access are required, but the attacker must be able to interact with the USB gadget subsystem.

Impact

Successful exploitation results in a kernel panic, causing a denial of service (DoS) on the affected system. The system becomes unavailable until rebooted. The CVSS v3 score of 5.5 (Medium) reflects the local attack vector and availability impact.

Mitigation

The fix moves the vbus_draw operation into a workqueue context, ensuring that sleeping operations are not performed in atomic context. The patch has been applied to the Linux kernel stable tree [1][2][3][4]. Users should update to a kernel version containing this fix.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1
  • Linux/Kernel
    cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
    Range: >=5.13,<6.6.128

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.