The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-23446

CVE-2026-23446: Linux Kernel aqc111 Driver DoS Vulnerability

CVE-2026-23446 is a denial-of-service vulnerability in the Linux kernel aqc111 USB driver causing task hangs during suspend operations. This article covers the technical details, affected versions, and mitigation strategies.

Published: April 10, 2026

CVE-2026-23446 Overview

A deadlock vulnerability has been identified in the Linux kernel's aqc111 USB network driver. The vulnerability occurs when the aqc111_suspend() callback incorrectly performs power management (PM) operations, causing a task hang in rpm_resume(). This flaw was discovered by syzbot, the automated kernel fuzzing infrastructure.

When the suspend callback attempts to use the PM variant of write_cmd routine, it creates a recursive power management call chain that results in the system waiting indefinitely for a status change that will never occur. This subsequently blocks another task holding rtnl_lock, effectively locking up the entire networking stack.

Critical Impact

This vulnerability can cause a complete system hang affecting the networking stack, leading to denial of service conditions on affected Linux systems using Aquantia AQC111 USB network adapters.

Affected Products

  • Linux kernel (multiple stable versions) with aqc111 USB network driver
  • Systems using Aquantia AQC111 USB 3.0 to 5G Ethernet adapters
  • Linux distributions with affected kernel versions

Discovery Timeline

  • 2026-04-03 - CVE CVE-2026-23446 published to NVD
  • 2026-04-07 - Last updated in NVD database

Technical Details for CVE-2026-23446

Vulnerability Analysis

This vulnerability represents a race condition and deadlock issue within the Linux kernel's power management subsystem, specifically in the aqc111 USB network driver. The core problem lies in improper power management operation sequencing during system suspend operations.

When a USB device enters suspend state, the runtime PM status transitions to RPM_SUSPENDING. During this transition, the aqc111_suspend() function is called for the USB device interface. The problematic call chain occurs when this function invokes aqc111_write32_cmd(), which internally calls usb_autopm_get_interface().

This triggers pm_runtime_resume_and_get(), which then calls rpm_resume() on the parent device. However, since the parent is already in the suspending state, the system enters a blocking wait for a status change that cannot occur—creating an indefinite deadlock.

Root Cause

The root cause is the incorrect use of PM-aware write command functions within the suspend callback context. The aqc111_suspend() function calls aqc111_write32_cmd() which uses usb_autopm_get_interface(). When the device is already in the process of suspending (RPM_SUSPENDING state), attempting to resume power management creates a circular dependency.

The simplified problematic call trace is:

  1. rpm_suspend() → usb_suspend_both() (sets runtime_status = RPM_SUSPENDING)
  2. aqc111_suspend() → aqc111_write32_cmd()
  3. usb_autopm_get_interface() → pm_runtime_resume_and_get()
  4. rpm_resume() on parent → blocked indefinitely

Attack Vector

The vulnerability can be triggered through normal system power management operations such as:

  • System suspend/hibernate operations
  • USB selective suspend (autosuspend)
  • Runtime power management events

While this is primarily a local denial of service vulnerability, it requires no special privileges to trigger—any action that causes the AQC111 USB network device to enter suspend state can potentially trigger the deadlock. Once triggered, the system's networking stack becomes completely unresponsive as another task holding rtnl_lock is blocked.

The fix involves replacing the power management-aware write_cmd calls with their _nopm (no power management) variants within the suspend callback, ensuring no recursive PM operations occur during the suspend sequence.

Detection Methods for CVE-2026-23446

Indicators of Compromise

  • System logs showing "task hung in rpm_resume" messages from syzbot or kernel
  • Kernel stack traces indicating deadlock in aqc111_suspend() or related PM functions
  • Network stack becoming completely unresponsive during suspend operations
  • Processes blocking on rtnl_lock acquisition with indefinite wait times

Detection Strategies

  • Monitor kernel logs for hung task warnings related to runtime PM or USB suspend operations
  • Implement kernel function tracing on rpm_suspend(), rpm_resume(), and aqc111_suspend() to identify abnormal call patterns
  • Use kernel lockdep debugging to detect potential deadlock scenarios in USB network drivers
  • Monitor for system hangs coinciding with USB device power state transitions

Monitoring Recommendations

  • Enable kernel hang detection mechanisms and configure appropriate timeout thresholds
  • Set up automated alerting for kernel messages containing "task hung" or "rtnl_lock" related warnings
  • Monitor system suspend/resume operations for unusual delays or failures on systems with AQC111 adapters
  • Implement watchdog timers to detect and recover from system-wide networking stack deadlocks

How to Mitigate CVE-2026-23446

Immediate Actions Required

  • Update the Linux kernel to a patched version containing the fix for the aqc111 driver
  • If immediate patching is not possible, consider disabling USB autosuspend for AQC111 devices as a temporary workaround
  • Monitor systems with AQC111 USB network adapters for signs of hanging during power management operations
  • Review and test system suspend/resume functionality after applying patches

Patch Information

Multiple kernel commits have been released to address this vulnerability across stable kernel branches:

  • Kernel Commit 069c8f5
  • Kernel Commit 3267bcb
  • Kernel Commit 4de6a43
  • Kernel Commit 621f2f4
  • Kernel Commit 98e8aed
  • Kernel Commit d3e32a6

The fix replaces the PM-aware write_cmd calls with their _nopm variants in the suspend callback path.

Workarounds

  • Disable USB autosuspend for AQC111 devices by setting power management control to "on"
  • Unload the aqc111 driver module if the USB network adapter is not required
  • Use alternative network interfaces during system power management operations
  • Configure systems to skip suspend for USB ethernet adapters using udev rules
bash
# Disable USB autosuspend for AQC111 devices
echo "on" > /sys/bus/usb/devices/<device-id>/power/control

# Alternative: Create a udev rule to disable autosuspend
# /etc/udev/rules.d/99-aqc111-no-autosuspend.rules
# ACTION=="add", SUBSYSTEM=="usb", ATTR{idVendor}=="2eca", ATTR{power/control}="on"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeDOS
  • Vendor/TechLinux Kernel
  • SeverityNONE
  • CVSS ScoreN/A
  • EPSS Probability0.03%
  • Known ExploitedNo
  • Impact Assessment
  • ConfidentialityNone
  • IntegrityNone
  • AvailabilityNone
  • Technical References
  • Kernel Commit 069c8f5
  • Kernel Commit 3267bcb
  • Kernel Commit 4de6a43
  • Kernel Commit 621f2f4
  • Kernel Commit 98e8aed
  • Kernel Commit d3e32a6
  • Related CVEs
  • CVE-2026-23451: Linux Kernel Bonding Driver DoS Flaw
  • CVE-2026-23460: Linux Kernel ROSE Protocol DoS Vulnerability
  • CVE-2026-23459: Linux Kernel DOS Vulnerability
  • CVE-2026-23453: Linux Kernel ICSSG-PRUETH DoS Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English