CVE-2026-43425 Overview
CVE-2026-43425 is a Linux kernel vulnerability in the mdc800 USB image driver. The flaw resides in the mdc800_device_read() function, which submits a download USB Request Block (URB) and waits for completion. When the wait times out and the device does not respond, the function returns without killing the URB, leaving it active. A subsequent read() call resubmits the same URB while it remains in-flight, triggering the WARN in usb_submit_urb() with the message URB submitted while active. The fix checks the return value of wait_event_timeout() and kills the URB on timeout before its status is inspected or it is resubmitted.
Critical Impact
Local users with access to an mdc800-class USB device can trigger kernel warnings and unstable URB state through repeated timed-out reads.
Affected Products
- Linux kernel usb/image/mdc800 driver
- Multiple stable Linux kernel branches addressed via the referenced commits
- Systems exposing the Mustek MDC800 USB digital camera interface
Discovery Timeline
- 2026-05-08 - CVE-2026-43425 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-43425
Vulnerability Analysis
The mdc800_device_read() routine in the kernel USB image driver issues an asynchronous download URB through usb_submit_urb() and then blocks on wait_event_timeout() for completion. The original code path did not distinguish between successful completion and timeout expiry. On timeout, the function unwound and returned to userspace while the URB remained queued in the USB core.
When the calling process invoked read() again, the driver attempted to resubmit the still-active URB. The USB core detects this state in usb_submit_urb() and emits the warning URB submitted while active. The driver also risks inspecting URB status fields before the transfer has actually terminated, producing inconsistent results.
The corrected logic captures the return value of wait_event_timeout() and, when zero is returned, invokes usb_kill_urb() to cancel the outstanding transfer. This mirrors prior fixes in commit 372c93131998 for the yurex driver and commit b98d5000c505 for the iguanair media driver.
Root Cause
The root cause is improper timeout handling around an asynchronous USB transfer, leading to an active URB being treated as inactive. This is a state-management bug in driver control flow rather than memory corruption, and it relates to kernel driver robustness around wait_event_timeout() semantics.
Attack Vector
Exploitation requires local access to a system with the mdc800 driver loaded and the corresponding USB device attached or emulated. An attacker with permission to open the device node can issue successive read() operations against an unresponsive device to provoke the warning and inconsistent URB state. The flaw does not provide a remote attack surface, and there is no public evidence of exploitation.
No verified proof-of-concept code is available. The behavior is described in the upstream commit messages referenced in the Kernel Git Commit 9fa5a497 and parallel stable backports.
Detection Methods for CVE-2026-43425
Indicators of Compromise
- Kernel log entries containing the string URB submitted while active originating from usb_submit_urb().
- Repeated dmesg warnings tied to the mdc800 driver module under load.
- Unresponsive or hung processes performing read() calls against /dev/mdc800 style device nodes.
Detection Strategies
- Monitor kernel ring buffer output for USB core WARN traces involving mdc800_device_read in the call stack.
- Audit loaded kernel modules against patched kernel versions referenced in the eight upstream commits.
- Correlate user processes invoking the mdc800 device with subsequent kernel warnings to identify abuse patterns.
Monitoring Recommendations
- Forward kern.warning and kern.err syslog facilities to a centralized log analytics platform for correlation.
- Track kernel package versions across the fleet to confirm timely uptake of stable kernel updates.
- Alert on repeated USB driver WARN events from the same host within short time windows.
How to Mitigate CVE-2026-43425
Immediate Actions Required
- Apply the latest stable Linux kernel update from your distribution that incorporates the mdc800 URB timeout fix.
- If patching is delayed, unload the mdc800 module with modprobe -r mdc800 on systems that do not require Mustek MDC800 camera support.
- Restrict access to USB device nodes through udev rules and group permissions to limit which users can trigger the code path.
Patch Information
The fix is committed across multiple stable branches. Reference commits include Kernel Git Commit 15536f6, Kernel Git Commit 155f471e, Kernel Git Commit 1be3b77d, Kernel Git Commit 9bf877cc, Kernel Git Commit 9fa5a497, Kernel Git Commit b7fed917, Kernel Git Commit cc739844, and Kernel Git Commit d4a400a6. Each commit calls usb_kill_urb() when wait_event_timeout() indicates a timeout.
Workarounds
- Blacklist the mdc800 module on systems with no legitimate need for Mustek MDC800 USB camera support.
- Apply strict permissions on the associated device node so only trusted accounts can issue read() operations.
- Disable USB ports or use USB device filtering on hosts where physical attachment of unknown devices is not required.
# Configuration example
# Prevent loading of the vulnerable driver until patched
echo 'blacklist mdc800' | sudo tee /etc/modprobe.d/blacklist-mdc800.conf
sudo modprobe -r mdc800 2>/dev/null || true
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
