CVE-2026-43479 Overview
CVE-2026-43479 is a Linux kernel vulnerability in the lan78xx USB Ethernet driver. The flaw triggers a kernel warning in __netif_napi_del_locked() during USB device disconnect events. The driver calls netif_napi_del() redundantly in its disconnect path while NAPI (New API) remains enabled, producing a WARN at net/core/dev.c:7417. The fix removes the redundant call because unregister_netdev() already handles NAPI teardown safely.
The vulnerability affects systems using LAN78xx-based USB Ethernet adapters. Local users can trigger the warning by physically disconnecting the adapter or simulating a USB removal event.
Critical Impact
Triggers a kernel WARN on USB disconnect of LAN78xx Ethernet adapters, polluting kernel logs and potentially destabilizing systems configured to panic on warnings.
Affected Products
- Linux kernel versions containing the lan78xx USB Ethernet driver prior to the upstream fix
- Embedded and IoT systems using Microchip LAN78xx USB Gigabit Ethernet controllers
- Stable kernel branches tracked by commits 20ce2bd, 312c816, and 395a8b9
Discovery Timeline
- 2026-05-13 - CVE-2026-43479 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-43479
Vulnerability Analysis
The lan78xx driver manages USB-attached Gigabit Ethernet controllers through the Linux networking stack. During device disconnect, the driver's lan78xx_disconnect() function invokes netif_napi_del() to tear down the NAPI context. This call occurs while NAPI is still enabled on the network device.
The kernel networking core enforces an invariant: __netif_napi_del_locked() must not be called on an enabled NAPI instance outside of unregister_netdev(). When lan78xx_disconnect() violates this invariant, the kernel emits a WARN at net/core/dev.c:7417. The disconnect sequence proceeds, but the warning indicates incorrect driver teardown ordering.
The call chain reaches the warning through usb_hub_wq processing a hub event: hub_event → usb_disconnect → usb_disable_device → device_del → usb_unbind_interface → lan78xx_disconnect → __netif_napi_del_locked.
Root Cause
The driver carries a redundant netif_napi_del() invocation in its disconnect path. The subsequent unregister_netdev() call already performs NAPI teardown automatically and in the correct ordering. The explicit call duplicates the operation and runs at the wrong point in the teardown sequence, when NAPI has not yet been disabled.
Attack Vector
The issue is reachable by any event that causes the LAN78xx USB device to disconnect from the host. This includes physical removal, USB bus resets, hub events, or driver unbinding through sysfs. The trigger requires either physical access or local privileges to manipulate USB device state. The vulnerability produces a kernel warning rather than memory corruption or privilege escalation.
For systems configured with panic_on_warn=1, the warning escalates to a kernel panic, creating a local denial-of-service condition. The upstream fix removes the redundant netif_napi_del() call in the disconnect handler, allowing unregister_netdev() to manage NAPI lifecycle correctly. Refer to the Kernel Patch 395a8b9 for the upstream change.
Detection Methods for CVE-2026-43479
Indicators of Compromise
- Kernel log entries containing WARNING: CPU: X PID: X at net/core/dev.c:7417 __netif_napi_del_locked following a USB disconnect event
- Preceding log lines from lan78xx reporting Failed to read register index with ret = -ENODEV
- Stack traces showing lan78xx_disconnect calling into __netif_napi_del_locked
Detection Strategies
- Monitor dmesg and /var/log/kern.log for the WARN signature combined with lan78xx driver messages
- Audit running kernel version against the fixed stable releases referenced by commits 20ce2bd1c1848414c5d3520d301ed3f5751ed634, 312c816c6bc30342bc30dca0d6db617ab4d3ae4e, and 395a8b903738511f536c97c427e15ef038e1a11c
- Inventory hosts and embedded devices using Microchip LAN78xx USB Ethernet adapters
Monitoring Recommendations
- Forward kernel ring buffer events to a central log platform and alert on __netif_napi_del_locked WARN traces
- Track unexpected USB disconnect events on production systems where LAN78xx adapters serve primary connectivity
- Verify whether panic_on_warn is enabled on hardened or production kernels, since the warning becomes fatal under that configuration
How to Mitigate CVE-2026-43479
Immediate Actions Required
- Apply the upstream stable kernel patches referenced by commits 20ce2bd, 312c816, and 395a8b9 through your distribution's kernel update channel
- Identify hosts using LAN78xx USB Ethernet adapters and prioritize them for the kernel update
- Review panic_on_warn settings on affected systems and temporarily disable the option if patching is delayed
Patch Information
The fix removes the redundant netif_napi_del() call from lan78xx_disconnect(). The NAPI teardown is delegated to unregister_netdev(), which handles the operation safely. The patch is available in the upstream Linux stable tree. See Kernel Patch 20ce2bd, Kernel Patch 312c816, and Kernel Patch 395a8b9.
Workarounds
- Avoid hot-unplugging LAN78xx USB Ethernet adapters on unpatched kernels
- Disable panic_on_warn to prevent the kernel warning from escalating to a panic on production systems
- Unbind the lan78xx driver gracefully through sysfs before physical removal where possible
# Verify kernel version and check for the lan78xx module
uname -r
lsmod | grep lan78xx
# Inspect dmesg for the WARN signature
dmesg | grep -E "lan78xx|__netif_napi_del_locked"
# Temporarily disable panic_on_warn until patching completes
sysctl -w kernel.panic_on_warn=0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
