CVE-2026-43427
Description
In the Linux kernel, the following vulnerability has been resolved:
usb: class: cdc-wdm: fix reordering issue in read code path
Quoting the bug report:
Due to compiler optimization or CPU out-of-order execution, the desc->length update can be reordered before the memmove. If this happens, wdm_read() can see the new length and call copy_to_user() on uninitialized memory. This also violates LKMM data race rules [1].
Fix it by using WRITE_ONCE and memory barriers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A memory ordering bug in the Linux cdc-wdm driver allows reading uninitialized memory due to reordered length updates.
Vulnerability: cdc-wdm Read Reordering
The Linux kernel's cdc-wdm driver contains a data race in the read code path. The desc->length update and the subsequent memmove are not properly ordered, meaning a compiler optimization or CPU out-of-order execution can cause desc->length to be stored before the data is moved. This violates the Linux Kernel Memory Model (LKMM) rules on data races [1].
Exploitation
An attacker who can interact with the device (e.g., via USB) may exploit this race condition. The wdm_read() function could observe the new desc->length value and call copy_to_user() on memory that has not yet been initialized with the new data, leading to exposure of kernel memory contents. No special privileges are required beyond access to the device file.
Impact
Successful exploitation could result in information disclosure, leaking sensitive kernel memory to an unprivileged user. The severity is dependent on the content of the leaked memory, but it undermines the confidentiality guarantees of the kernel.
Mitigation
The fix was applied in mainline and backported to stable kernels using WRITE_ONCE and explicit memory barriers to ensure correct ordering [2][3][4]. Users should update their kernel to include these patches.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/170e8daca24da6edb4be82ab01abf44e87af387bnvd
- git.kernel.org/stable/c/276aef0fd2b92f41b920ac891c72cadeee957934nvd
- git.kernel.org/stable/c/4ee3062bf2c9a722afef429826e8607eaf3fc6a0nvd
- git.kernel.org/stable/c/638328ca9c17ae6511ad62198c57bae32ffa3c91nvd
- git.kernel.org/stable/c/67ed312124bb1b61858778ac0b985b48961c862anvd
- git.kernel.org/stable/c/8df672bfe3ec2268c2636584202755898e547173nvd
- git.kernel.org/stable/c/c8fa96ed021923dae147bcd9f9205b8df7b82360nvd
- git.kernel.org/stable/c/e3c874b05901dc519054b5107d16620e6d2b5feanvd
News mentions
0No linked articles in our index yet.