CVE-2026-43343 Overview
CVE-2026-43343 is a reference counting flaw in the Linux kernel's USB gadget subsystem, specifically in the f_subset function driver. The geth_alloc() function increments a reference count, but the matching geth_free() function fails to decrement it. This imbalance prevents reconfiguration of attributes through configfs after the function is unlinked. A local low-privileged attacker who can interact with USB gadget configfs entries can trigger resource exhaustion and availability impact.
Critical Impact
A local authenticated user can exhaust kernel resources by repeatedly allocating and freeing USB gadget Ethernet subset functions, leading to denial of service through reference count leakage.
Affected Products
- Linux Kernel (multiple stable branches, see vendor commits)
- Linux Kernel 7.0-rc1 through 7.0-rc6
- Systems with CONFIG_USB_F_SUBSET enabled
Discovery Timeline
- 2026-05-08 - CVE-2026-43343 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-43343
Vulnerability Analysis
The vulnerability resides in drivers/usb/gadget/function/f_subset.c, which implements the CDC Subset Ethernet function for USB gadgets. The function exposes its configuration through configfs, allowing userspace to compose USB gadget devices dynamically.
When geth_alloc() is invoked, it acquires a reference on an underlying kernel object as part of the allocation lifecycle. The companion geth_free() routine is responsible for releasing the function instance but does not call the corresponding decrement routine. Each allocate-then-free cycle leaks one reference, leaving the object pinned.
The practical effect is that configfs attribute writes targeting the function fail after unlinking, because the stale reference keeps the object in a state that blocks reconfiguration. Repeated cycles can accumulate references and exhaust associated kernel resources.
Root Cause
The root cause is an unbalanced reference count between paired allocation and free routines [CWE-Other]. The fix adds the missing decrement in geth_free() to ensure symmetric reference handling and proper cleanup of the function instance.
Attack Vector
Exploitation requires local access with privileges to write to USB gadget configfs entries, typically /sys/kernel/config/usb_gadget/. An attacker creates the geth function instance, removes it, and repeats the sequence to leak references. The impact is limited to availability, with no confidentiality or integrity compromise. No verified public proof-of-concept exists. Refer to the upstream commits listed in the Linux Kernel Stable Tree for technical details of the fix.
Detection Methods for CVE-2026-43343
Indicators of Compromise
- Repeated creation and removal of geth function instances under /sys/kernel/config/usb_gadget/*/functions/
- Failed configfs attribute writes returning -EBUSY or similar errors after function unlinking
- Gradual increase in kernel slab usage attributable to USB gadget function objects
Detection Strategies
- Audit configfs operations targeting usb_gadget paths through Linux audit subsystem rules monitoring openat and write syscalls on those paths
- Track kernel reference counts and slab allocations for USB gadget objects using /proc/slabinfo to identify abnormal growth
- Correlate non-root or service-account access to USB gadget configfs with subsequent kernel resource anomalies
Monitoring Recommendations
- Enable kernel audit rules for write operations under /sys/kernel/config/usb_gadget/
- Monitor dmesg for warnings related to f_subset or geth function lifecycle
- Alert on processes repeatedly creating and destroying USB gadget functions within short time windows
How to Mitigate CVE-2026-43343
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced in the vendor advisories to all affected kernel branches
- Restrict access to USB gadget configfs paths to root and trusted system services only
- Unload the usb_f_gadget_subset module on systems that do not require CDC Subset Ethernet gadget functionality
Patch Information
The fix decrements the reference count in geth_free() to balance the increment performed by geth_alloc(). Patches have been backported across multiple stable trees. See the upstream commits: Kernel Git Commit 23e4851c, Kernel Git Commit 3d436670, Kernel Git Commit 3f5bfc55, Kernel Git Commit 75776a05, Kernel Git Commit a932b171, Kernel Git Commit caa27923, Kernel Git Commit cc8ec610, and Kernel Git Commit d7d70240.
Workarounds
- Blacklist the usb_f_gadget_subset kernel module on systems where the CDC Subset Ethernet gadget is not needed
- Apply strict filesystem permissions on /sys/kernel/config/usb_gadget/ to limit which users and services can create gadget functions
- Disable CONFIG_USB_F_SUBSET when rebuilding kernels for environments that do not require this function driver
# Configuration example: blacklist the affected module and restrict configfs access
echo "blacklist usb_f_gadget_subset" | sudo tee /etc/modprobe.d/blacklist-f_subset.conf
sudo chmod 700 /sys/kernel/config/usb_gadget
sudo chown root:root /sys/kernel/config/usb_gadget
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
