CVE-2026-43428
Description
In the Linux kernel, the following vulnerability has been resolved:
USB: core: Limit the length of unkillable synchronous timeouts
The usb_control_msg(), usb_bulk_msg(), and usb_interrupt_msg() APIs in usbcore allow unlimited timeout durations. And since they use uninterruptible waits, this leaves open the possibility of hanging a task for an indefinitely long time, with no way to kill it short of unplugging the target device.
To prevent this sort of problem, enforce a maximum limit on the length of these unkillable timeouts. The limit chosen here, somewhat arbitrarily, is 60 seconds. On many systems (although not all) this is short enough to avoid triggering the kernel's hung-task detector.
In addition, clear up the ambiguity of negative timeout values by treating them the same as 0, i.e., using the maximum allowed timeout.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/06d2bbc4c66c6b0e8a43728c4949026026a5be67nvd
- git.kernel.org/stable/c/1015c27a5e1a63efae2b18a9901494474b4d1dc3nvd
- git.kernel.org/stable/c/24b31a227f679a942d820840a4dea7f0c09a387fnvd
- git.kernel.org/stable/c/2d34cb4d1d6283b4be9c78f4a83ed6956d3069ecnvd
- git.kernel.org/stable/c/4e86f5b79e62ded7e3c3ebd688cf5775e618148anvd
- git.kernel.org/stable/c/64f3d75633aedc12bdff220e9a4337177430bd9dnvd
- git.kernel.org/stable/c/659c0c7d50a4b0f6aa197c4c098cfd91daf63862nvd
- git.kernel.org/stable/c/6c62935670acdbb7687ced20494923b66fbb0367nvd
News mentions
0No linked articles in our index yet.