CVE-2026-43170 Overview
CVE-2026-43170 is a Linux kernel vulnerability in the DesignWare USB3 (dwc3) gadget driver. The flaw exists in the dwc3_gadget_vbus_draw() function, which can be invoked from atomic context. The function calls power-supply-core APIs that route to Power Management IC (PMIC) operations capable of sleeping. Calling sleeping functions from atomic context triggers a kernel panic, resulting in denial of service on affected systems.
The fix relocates the vbus_draw operation into a workqueue context, allowing the sleep-capable PMIC operations to execute safely. Patches have been merged across multiple stable kernel branches.
Critical Impact
Local denial of service through kernel panic when USB gadget vbus current draw negotiation occurs on systems where the PMIC power-supply driver contains sleeping operations.
Affected Products
- Linux kernel usb/dwc3 gadget driver
- Stable kernel branches receiving backports referenced in commits 2333653e, 54aaa3b3, 74a231e3, 76c1123f, and a7a80c25
- Embedded and mobile platforms using DesignWare USB3 controllers paired with PMIC-backed power-supply drivers
Discovery Timeline
- 2026-05-06 - CVE-2026-43170 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43170
Vulnerability Analysis
The vulnerability is a sleeping-in-atomic-context bug [CWE-662 / CWE-833 class] inside the dwc3 USB gadget driver. The dwc3_gadget_vbus_draw() callback notifies the system of how much current the USB gadget intends to draw from VBUS during USB enumeration. The dwc3 driver invokes this function while holding spinlocks or running in interrupt-style atomic context.
Downstream, dwc3_gadget_vbus_draw() calls into power_supply_set_property() and related power-supply-core APIs. On platforms where the registered power supply is backed by a PMIC accessed over a sleeping bus such as I2C or SPMI, those property handlers can block. Sleeping while atomic violates kernel scheduling invariants and the kernel responds with a BUG: scheduling while atomic panic.
Root Cause
The root cause is a context mismatch between caller and callee. The dwc3 gadget code path holds a spinlock or executes in IRQ context when adjusting VBUS current. The power-supply-core path it calls makes no guarantee of being non-blocking and frequently invokes regulator or PMIC drivers that may sleep. The dwc3 driver assumed a synchronous, non-sleeping power-supply contract that does not hold across all platforms.
Attack Vector
Exploitation requires local USB activity that triggers gadget enumeration or current-draw renegotiation. An attacker with physical access who connects or reconnects USB peripherals can drive the code path on a vulnerable platform. There is no remote network attack vector and no privilege escalation primitive. The realistic outcome is a kernel panic and system crash.
No public proof-of-concept is available, and the EPSS probability is 0.018% (percentile 4.875), indicating very low expected exploitation activity.
The upstream fix moves the VBUS draw work onto a workqueue using a deferred worker, decoupling the sleeping power-supply call from the atomic caller. See the linked stable commits for the exact patch logic.
Detection Methods for CVE-2026-43170
Indicators of Compromise
- Kernel log entries containing BUG: scheduling while atomic referencing dwc3_gadget_vbus_draw in the call trace
- Unexpected kernel panics correlated with USB gadget connect, disconnect, or charger renegotiation events
- Stack traces showing power_supply_set_property invoked from dwc3 interrupt handlers
Detection Strategies
- Audit running kernel versions against the patched commits referenced in the stable tree to confirm whether the fix is present
- Inspect dmesg and persistent kernel logs (/var/log/kern.log, journalctl -k) for atomic-context warnings tied to dwc3
- Review crash dumps (kdump, pstore) on devices using DesignWare USB3 controllers with PMIC-driven power supplies
Monitoring Recommendations
- Centralize kernel logs from Linux endpoints and embedded devices to detect repeated panics consistent with this defect
- Track USB subsystem panics on fleet devices, particularly mobile, automotive, and IoT hardware using dwc3
- Alert on kernel oops or panic counters increasing on hosts that have not yet received the stable kernel update
How to Mitigate CVE-2026-43170
Immediate Actions Required
- Update affected Linux kernels to a stable release containing one of the fix commits (2333653e, 54aaa3b3, 74a231e3, 76c1123f, a7a80c25)
- Identify systems using the dwc3 gadget driver with PMIC-backed power supplies and prioritize them for patching
- Validate that downstream vendor kernels (Android, embedded distributions) have backported the workqueue refactor
Patch Information
The upstream fix moves the VBUS current draw notification into a workqueue context so that power-supply-core calls into sleeping PMIC drivers occur from a process context. The patch series is available in the mainline and stable trees through the following commits: Linux Kernel Commit 2333653e, Linux Kernel Commit 54aaa3b3, Linux Kernel Commit 74a231e3, Linux Kernel Commit 76c1123f, and Linux Kernel Commit a7a80c25.
Workarounds
- Restrict physical USB access to affected devices until the kernel is updated
- Where possible, disable USB gadget mode on systems that do not require it by unloading or blacklisting the dwc3 gadget configuration
- On embedded platforms, consider configuring the power-supply backend to a non-sleeping driver if available, as a temporary measure pending the kernel update
# Verify the running kernel and check for the dwc3 gadget driver
uname -r
lsmod | grep -E 'dwc3|udc'
# Inspect kernel logs for atomic-context warnings tied to dwc3
journalctl -k --no-pager | grep -E 'scheduling while atomic|dwc3_gadget_vbus_draw'
# Optional: prevent dwc3 gadget from loading on systems that do not need it
echo 'blacklist dwc3' | sudo tee /etc/modprobe.d/blacklist-dwc3.conf
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
