{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-43425", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-05-01T14:12:56.009Z", "datePublished": "2026-05-08T14:21:59.020Z", "dateUpdated": "2026-05-08T14:21:59.020Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-08T14:21:59.020Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: image: mdc800: kill download URB on timeout\n\nmdc800_device_read() submits download_urb and waits for completion.\nIf the timeout fires and the device has not responded, the function\nreturns without killing the URB, leaving it active.\n\nA subsequent read() resubmits the same URB while it is still\nin-flight, triggering the WARN in usb_submit_urb():\n\n \"URB submitted while active\"\n\nCheck the return value of wait_event_timeout() and kill the URB if\nit indicates timeout, ensuring the URB is complete before its status\nis inspected or the URB is resubmitted.\n\nSimilar to\n- commit 372c93131998 (\"USB: yurex: fix control-URB timeout handling\")\n- commit b98d5000c505 (\"media: rc: iguanair: handle timeouts\")"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/usb/image/mdc800.c"], "versions": [{"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "9fa5a49760979ba016506fe292a431c8b83f043e", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "15536f6c15f48037a1672cbdea53266d67861ff6", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "9bf877cc67309b2a063b0087c3ad8585fb11cec3", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "155f471e38aa516f6c58c2ae03ca3dc222fa2fdb", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "d4a400a6a4c4d49f77a04a3f401df5ae1a10657c", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "b7fed917f84e484e06c5e9926746d0b524e3a93e", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "cc7398447810c9450c90d092efe9997569f8d96f", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "1be3b77de4eb89af8ae2fd6610546be778e25589", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/usb/image/mdc800.c"], "versions": [{"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.19", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.9", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.18.19"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.19.9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/9fa5a49760979ba016506fe292a431c8b83f043e"}, {"url": "https://git.kernel.org/stable/c/15536f6c15f48037a1672cbdea53266d67861ff6"}, {"url": "https://git.kernel.org/stable/c/9bf877cc67309b2a063b0087c3ad8585fb11cec3"}, {"url": "https://git.kernel.org/stable/c/155f471e38aa516f6c58c2ae03ca3dc222fa2fdb"}, {"url": "https://git.kernel.org/stable/c/d4a400a6a4c4d49f77a04a3f401df5ae1a10657c"}, {"url": "https://git.kernel.org/stable/c/b7fed917f84e484e06c5e9926746d0b524e3a93e"}, {"url": "https://git.kernel.org/stable/c/cc7398447810c9450c90d092efe9997569f8d96f"}, {"url": "https://git.kernel.org/stable/c/1be3b77de4eb89af8ae2fd6610546be778e25589"}], "title": "usb: image: mdc800: kill download URB on timeout", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: image: mdc800: kill download URB on timeout\n\nmdc800_device_read() submits download_urb and waits for completion.\nIf the timeout fires and the device has not responded, the function\nreturns without killing the URB, leaving it active.\n\nA subsequent read() resubmits the same URB while it is still\nin-flight, triggering the WARN in usb_submit_urb():\n\n \"URB submitted while active\"\n\nCheck the return value of wait_event_timeout() and kill the URB if\nit indicates timeout, ensuring the URB is complete before its status\nis inspected or the URB is resubmitted.\n\nSimilar to\n- commit 372c93131998 (\"USB: yurex: fix control-URB timeout handling\")\n- commit b98d5000c505 (\"media: rc: iguanair: handle timeouts\")"}], "id": "CVE-2026-43425", "lastModified": "2026-05-08T15:16:54.620", "metrics": {}, "published": "2026-05-08T15:16:54.620", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/15536f6c15f48037a1672cbdea53266d67861ff6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/155f471e38aa516f6c58c2ae03ca3dc222fa2fdb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1be3b77de4eb89af8ae2fd6610546be778e25589"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9bf877cc67309b2a063b0087c3ad8585fb11cec3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9fa5a49760979ba016506fe292a431c8b83f043e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b7fed917f84e484e06c5e9926746d0b524e3a93e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/cc7398447810c9450c90d092efe9997569f8d96f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d4a400a6a4c4d49f77a04a3f401df5ae1a10657c"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{}