HIGH
usb BufferRead Race
CVE-2026-43427
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
KernelScan AI1.8LOW
01Description
In the Linux kernel, the following vulnerability has been resolved: usb: class: cdc-wdm: fix reordering issue in read code path Quoting the bug report: Due to compiler optimization or CPU out-of-order execution, the desc->length update can be reordered before the memmove. If this happens, wdm_read() can see the new length and call copy_to_user() on uninitialized memory. This also violates LKMM data race rules [1]. Fix it by using WRITE_ONCE and memory barriers.
02KernelScan AI Analysis
Risk summary
A race condition in the USB CDC-WDM driver can cause uninitialized kernel memory to be copied to userspace due to memory reordering. This affects systems with USB CDC-WDM devices where the length field update can be reordered before the actual data copy, leading to information disclosure.
Vulnerability analysis
The vulnerability occurs in wdm_in_callback() where desc->length is updated after memmove() copies data to the buffer. Due to compiler optimization or CPU out-of-order execution, this length update can be reordered before the memmove, creating a race window where wdm_read() sees the new length but reads uninitialized memory. The fix uses WRITE_ONCE() and memory barriers (smp_wmb/smp_rmb) to enforce proper ordering between the data copy and length update operations. Attack surface is limited to physical USB device access.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.253 | 638328ca9c17 |
| 5.15 | 5.15.203 | 170e8daca24d |
| 6.1 | 6.1.167 | c8fa96ed0219 |
| 6.12 | 6.12.78 | 276aef0fd2b9 |
| 6.18 | 6.18.19 | 67ed312124bb |
| 6.19 | 6.19.9 | e3c874b05901 |
| 6.6 | 6.6.130 | 4ee3062bf2c9 |
| mainline | 7.0 | 8df672bfe3ec |