Description
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Published: 2026-03-25
Score: 7.0 High
EPSS: n/a
KEV: No
Impact: Kernel crash denial of service
Action: Apply Patch
AI Analysis

Impact

The Linux kernel’s f_ncm USB gadget driver creates a network device that is freed when the gadget disconnects, but its lifecycle is tied to the configuration instance rather than the bind/unbind process. This misalignment allows the net_device to outlive its gadget, resulting in dangling sysfs links and NULL pointer dereferences that cause the kernel to crash. The kernel panic effectively brings the system down, resulting in denial of service.

Affected Systems

All Linux kernel builds that ship the f_ncm driver without the commit that moves the net_device allocation into ncm_bind() and its deallocation into ncm_unbind() are affected. If you are running a distribution kernel that has not incorporated this change, your system is vulnerable. Custom kernels can be checked for the specific commit or the absence of the fix.

Risk and Exploitability

The CVSS score of 7.0 indicates a medium‑to‑high severity. The EPSS score is below 1% and the flaw is not in the CISA KEV list, suggesting a low likelihood of widespread exploitation. The likely attack vector requires a local or privileged user to orchestrate a USB gadget disconnect while the driver is active, which would trigger the kernel crash. Since the vulnerability is tied to kernel internals, exploitation requires sufficient privileges to interact with the USB gadget interface.

Generated by OpenCVE AI on March 26, 2026 at 05:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the system to a Linux kernel version that includes the patch moving net_device allocation to ncm_bind() and deallocation to ncm_unbind().
  • If a patch is not available, disable the f_ncm USB gadget driver to prevent disconnect events from reaching the kernel.
  • Verify that the running kernel contains the commit from the fix or runs a kernel version that has integrated the changes.

Generated by OpenCVE AI on March 26, 2026 at 05:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: align net_device lifecycle with bind/unbind Currently, the net_device is allocated in ncm_alloc_inst() and freed in ncm_free_inst(). This ties the network interface's lifetime to the configuration instance rather than the USB connection (bind/unbind). This decoupling causes issues when the USB gadget is disconnected where the underlying gadget device is removed. The net_device can outlive its parent, leading to dangling sysfs links and NULL pointer dereferences when accessing the freed gadget device. Problem 1: NULL pointer dereference on disconnect Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Call trace: __pi_strlen+0x14/0x150 rtnl_fill_ifinfo+0x6b4/0x708 rtmsg_ifinfo_build_skb+0xd8/0x13c rtmsg_ifinfo+0x50/0xa0 __dev_notify_flags+0x4c/0x1f0 dev_change_flags+0x54/0x70 do_setlink+0x390/0xebc rtnl_newlink+0x7d0/0xac8 rtnetlink_rcv_msg+0x27c/0x410 netlink_rcv_skb+0x134/0x150 rtnetlink_rcv+0x18/0x28 netlink_unicast+0x254/0x3f0 netlink_sendmsg+0x2e0/0x3d4 Problem 2: Dangling sysfs symlinks console:/ # ls -l /sys/class/net/ncm0 lrwxrwxrwx ... /sys/class/net/ncm0 -> /sys/devices/platform/.../gadget.0/net/ncm0 console:/ # ls -l /sys/devices/platform/.../gadget.0/net/ncm0 ls: .../gadget.0/net/ncm0: No such file or directory Move the net_device allocation to ncm_bind() and deallocation to ncm_unbind(). This ensures the network interface exists only when the gadget function is actually bound to a configuration. To support pre-bind configuration (e.g., setting interface name or MAC address via configfs), cache user-provided options in f_ncm_opts using the gether_opts structure. Apply these cached settings to the net_device upon creation in ncm_bind(). Preserve the use-after-free fix from commit 6334b8e4553c ("usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error"). Check opts->net in ncm_set_alt() and ncm_disable() to ensure gether_disconnect() runs only if a connection was established. This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Title usb: gadget: f_ncm: align net_device lifecycle with bind/unbind kernel: usb: gadget: f_ncm: align net_device lifecycle with bind/unbind
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
References

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: align net_device lifecycle with bind/unbind Currently, the net_device is allocated in ncm_alloc_inst() and freed in ncm_free_inst(). This ties the network interface's lifetime to the configuration instance rather than the USB connection (bind/unbind). This decoupling causes issues when the USB gadget is disconnected where the underlying gadget device is removed. The net_device can outlive its parent, leading to dangling sysfs links and NULL pointer dereferences when accessing the freed gadget device. Problem 1: NULL pointer dereference on disconnect Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Call trace: __pi_strlen+0x14/0x150 rtnl_fill_ifinfo+0x6b4/0x708 rtmsg_ifinfo_build_skb+0xd8/0x13c rtmsg_ifinfo+0x50/0xa0 __dev_notify_flags+0x4c/0x1f0 dev_change_flags+0x54/0x70 do_setlink+0x390/0xebc rtnl_newlink+0x7d0/0xac8 rtnetlink_rcv_msg+0x27c/0x410 netlink_rcv_skb+0x134/0x150 rtnetlink_rcv+0x18/0x28 netlink_unicast+0x254/0x3f0 netlink_sendmsg+0x2e0/0x3d4 Problem 2: Dangling sysfs symlinks console:/ # ls -l /sys/class/net/ncm0 lrwxrwxrwx ... /sys/class/net/ncm0 -> /sys/devices/platform/.../gadget.0/net/ncm0 console:/ # ls -l /sys/devices/platform/.../gadget.0/net/ncm0 ls: .../gadget.0/net/ncm0: No such file or directory Move the net_device allocation to ncm_bind() and deallocation to ncm_unbind(). This ensures the network interface exists only when the gadget function is actually bound to a configuration. To support pre-bind configuration (e.g., setting interface name or MAC address via configfs), cache user-provided options in f_ncm_opts using the gether_opts structure. Apply these cached settings to the net_device upon creation in ncm_bind(). Preserve the use-after-free fix from commit 6334b8e4553c ("usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error"). Check opts->net in ncm_set_alt() and ncm_disable() to ensure gether_disconnect() runs only if a connection was established.
Title usb: gadget: f_ncm: align net_device lifecycle with bind/unbind
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: REJECTED

Assigner: Linux

Published:

Updated: 2026-04-03T15:42:10.765Z

Reserved: 2026-01-13T15:37:45.995Z

Link: CVE-2026-23320

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Rejected

Published: 2026-03-25T11:16:28.747

Modified: 2026-04-03T16:16:23.600

Link: CVE-2026-23320

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23320 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:16:38Z

Weaknesses