CVE-2026-43255 Overview
CVE-2026-43255 is a kernel vulnerability in the Linux libertas Wi-Fi driver. The flaw resides in the usb_tx_block() function, which submits the cardp->tx_urb USB Request Block (URB) without confirming that any prior transmission on the same URB has completed. When a second submission occurs while the URB remains active, such as during rapid firmware loading, usb_submit_urb() triggers the kernel warning URB submitted while active. The upstream fix enforces serialization by calling usb_kill_urb() before submitting a new request, ensuring the URB is idle and safe to reuse.
Critical Impact
A race condition in the libertas USB Wi-Fi driver can produce kernel warnings and unstable URB state during firmware loading on affected systems.
Affected Products
- Linux kernel — drivers/net/wireless/marvell/libertas USB transport
- Systems using Marvell Libertas-based USB Wi-Fi adapters
- Distributions shipping affected upstream kernel versions prior to the fix commits
Discovery Timeline
- 2026-05-06 - CVE-2026-43255 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43255
Vulnerability Analysis
The defect is a race condition in the libertas wireless driver's USB submission path. The function usb_tx_block() re-submits cardp->tx_urb without first verifying that any previous transfer using the same URB has finished. Because USB Request Blocks cannot legally be re-submitted while still active, the USB core's usb_submit_urb() validation logic detects the in-flight state and emits the URB submitted while active warning. Under rapid firmware loading or other tight transmission loops, the timing window widens and the warning becomes reproducible.
While the immediate symptom is a kernel log warning, the underlying behavior reflects unsynchronized access to a shared URB structure. This category of defect [Race Condition] in kernel drivers can lead to inconsistent driver state, dropped transmissions, or undefined behavior depending on the surrounding code paths.
Root Cause
The driver lacked serialization between successive uses of the single tx_urb member of the card private structure. No prior call to usb_kill_urb() or completion wait existed to guarantee the URB was idle before re-submission. The fix introduces an explicit usb_kill_urb() call before each new submission so the URB is always in a known idle state.
Attack Vector
Triggering the condition requires interaction with the libertas USB Wi-Fi device, typically through firmware loading or transmission paths that issue back-to-back URB submissions. The reported scenario occurs during rapid firmware loading. No specific exploitation primitive beyond local hardware interaction has been documented in the upstream report.
See the upstream patch series for technical detail: Kernel Commit 2902a9b, Kernel Commit 3308c75, Kernel Commit 498525d, Kernel Commit 5bfb254, Kernel Commit 948a39c, Kernel Commit b820735, Kernel Commit d66676e, and Kernel Commit fc188b4.
Detection Methods for CVE-2026-43255
Indicators of Compromise
- Kernel log messages containing the string URB submitted while active originating from USB core submission validation.
- Repeated warnings tied to the libertas or libertas_usb module during firmware load or Wi-Fi initialization.
- Stack traces in dmesg referencing usb_tx_block and usb_submit_urb.
Detection Strategies
- Monitor dmesg and /var/log/kern.log for WARNING-level messages from the USB subsystem associated with libertas devices.
- Inventory hosts that have the libertas or libertas_usb kernel modules loaded using lsmod and identify those running unpatched kernels.
- Correlate kernel warnings with firmware reload events to identify systems exposed to the race window.
Monitoring Recommendations
- Forward kernel logs to a centralized logging or SIEM platform and alert on the URB submitted while active signature.
- Track installed kernel versions across the fleet and compare against the stable trees that include the fix commits.
- Audit which endpoints rely on Marvell Libertas USB Wi-Fi adapters and prioritize them for kernel updates.
How to Mitigate CVE-2026-43255
Immediate Actions Required
- Update affected systems to a Linux kernel build that includes the upstream libertas: fix WARNING in usb_tx_block patch series.
- For systems that cannot be patched immediately, unload the libertas module if the hardware is not required: modprobe -r libertas_usb libertas.
- Restrict physical access to USB ports on systems where untrusted Libertas-class adapters could be attached.
Patch Information
The fix calls usb_kill_urb(cardp->tx_urb) before re-submission in usb_tx_block(), ensuring serialized URB reuse. The change is distributed across multiple stable trees in commits 2902a9b, 3308c75, 498525d, 5bfb254, 948a39c, b820735, d66676e, and fc188b4. Apply the kernel update from your distribution that incorporates these commits, then reboot to load the corrected module.
Workarounds
- Avoid operations that cause rapid successive firmware loads on Libertas USB adapters until the kernel is updated.
- Blacklist the libertas and libertas_usb modules on systems that do not require this Wi-Fi hardware by adding blacklist libertas and blacklist libertas_usb to /etc/modprobe.d/blacklist.conf.
- Replace legacy Marvell Libertas USB adapters with currently supported wireless hardware where feasible.
# Configuration example
# Verify kernel version and libertas module status
uname -r
lsmod | grep libertas
# Temporarily unload the driver
sudo modprobe -r libertas_usb libertas
# Persistently disable the driver until kernel is patched
echo 'blacklist libertas' | sudo tee -a /etc/modprobe.d/blacklist-libertas.conf
echo 'blacklist libertas_usb' | sudo tee -a /etc/modprobe.d/blacklist-libertas.conf
# Monitor for the warning signature
sudo dmesg -w | grep -i 'URB submitted while active'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
