CVE-2026-43342 Overview
CVE-2026-43342 is a race condition vulnerability in the Linux kernel's USB gadget RNDIS function driver (f_rndis). The class, subclass, and protocol options in this driver can be accessed concurrently through configfs without proper synchronization. This concurrent access creates a race condition classified under [CWE-362] (Concurrent Execution using Shared Resource with Improper Synchronization).
The issue was identified during code inspection. The upstream fix introduces an existing mutex to protect these RNDIS options from concurrent modification, eliminating the race window.
Critical Impact
A local low-privileged attacker with access to configfs can trigger concurrent access to RNDIS options, potentially leading to a high-impact availability disruption on affected Linux systems.
Affected Products
- Linux Kernel (multiple stable branches)
- Linux Kernel 7.0 release candidates rc1 through rc6
- Systems with USB gadget RNDIS function enabled via configfs
Discovery Timeline
- 2026-05-08 - CVE-2026-43342 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-43342
Vulnerability Analysis
The vulnerability resides in the f_rndis USB gadget function driver within the Linux kernel. RNDIS (Remote Network Driver Interface Specification) is Microsoft's protocol used for emulating network connections over USB. The driver exposes configuration options including class, subclass, and protocol through the configfs virtual filesystem.
These option attributes can be read and written concurrently from userspace through different file descriptors. Without proper locking, simultaneous access produces inconsistent state. The maintainers identified this issue during code inspection rather than in response to active exploitation.
The attack vector is local and requires low privileges, but exploitation complexity is high. Successful exploitation impacts availability without affecting confidentiality or integrity.
Root Cause
The root cause is missing synchronization on shared option fields in the f_rndis driver. The class/subclass/protocol attributes are exposed as writable configfs entries but the read and write paths do not acquire the function's existing mutex. The fix reuses the existing mutex to serialize access to these option fields.
Attack Vector
An attacker with local access and permissions to interact with configfs USB gadget configuration paths can issue concurrent writes to the RNDIS class, subclass, and protocol attributes. Triggering the race requires precise timing, reflected in the high attack complexity rating. Successful triggering can corrupt the gadget configuration state and disrupt USB gadget functionality.
No public proof-of-concept exploit is available and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. EPSS data reports a probability of 0.032%, indicating low likelihood of exploitation in the near term.
The vulnerability mechanism is described in the upstream commit messages. Refer to the kernel git commits for the exact code changes that add mutex protection around the RNDIS option accessors.
Detection Methods for CVE-2026-43342
Indicators of Compromise
- Unexpected kernel warnings or oops messages referencing f_rndis or RNDIS configfs paths
- Anomalous USB gadget reconfiguration events from non-administrative user contexts
- System logs showing repeated writes to /sys/kernel/config/usb_gadget/*/functions/rndis.*/class, subclass, or protocol attributes
Detection Strategies
- Audit kernel versions against the patched commits listed in the vendor advisories to identify exposed hosts
- Monitor process activity that opens and writes to USB gadget configfs paths, particularly from unexpected user accounts
- Correlate kernel ring buffer (dmesg) entries with userspace processes manipulating gadget configuration
Monitoring Recommendations
- Enable Linux audit rules on /sys/kernel/config/usb_gadget/ to capture write events with associated process context
- Track loaded kernel modules and flag systems running unpatched kernel versions with usb_f_rndis loaded
- Alert on unusual USB gadget reconfiguration during runtime on production systems that do not require dynamic gadget changes
How to Mitigate CVE-2026-43342
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced in the vendor advisories for the affected stable branch in use
- Restrict access to USB gadget configfs paths to root and dedicated administrative accounts only
- Unload the usb_f_rndis module on systems that do not require USB RNDIS gadget functionality
Patch Information
The Linux kernel maintainers released fixes across multiple stable branches. The relevant commits are 0a75d97, 209decd3, 446f1842, 65b7dbf, 7d8fa3b, 8d8c68b, c1b3d5b, and cb5316b. Each fix introduces mutex protection around the RNDIS class, subclass, and protocol option accessors.
Workarounds
- Blacklist the usb_f_rndis kernel module on hosts that do not require RNDIS USB gadget functionality
- Tighten filesystem permissions on /sys/kernel/config/usb_gadget/ so only privileged administrators can modify gadget attributes
- Disable configfs mounting entirely on systems that do not use USB gadget composition
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
