Description
In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: f_ncm: Fix net_device lifecycle with device_move

The network device outlived its parent gadget device during
disconnection, resulting in dangling sysfs links and null pointer
dereference problems.

A prior attempt to solve this by removing SET_NETDEV_DEV entirely [1]
was reverted due to power management ordering concerns and a NO-CARRIER
regression.

A subsequent attempt to defer net_device allocation to bind [2] broke
1:1 mapping between function instance and network device, making it
impossible for configfs to report the resolved interface name. This
results in a regression where the DHCP server fails on pmOS.

Use device_move to reparent the net_device between the gadget device and
/sys/devices/virtual/ across bind/unbind cycles. This preserves the
network interface across USB reconnection, allowing the DHCP server to
retain their binding.

Introduce gether_attach_gadget()/gether_detach_gadget() helpers and use
__free(detach_gadget) macro to undo attachment on bind failure. The
bind_count ensures device_move executes only on the first bind.

[1] https://lore.kernel.org/lkml/f2a4f9847617a0929d62025748384092e5f35cce.camel@crapouillou.net/
[2] https://lore.kernel.org/linux-usb/795ea759-7eaf-4f78-81f4-01ffbf2d7961@ixit.cz/
Published: 2026-05-08
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The f_ncm USB gadget driver in the Linux kernel can allow a network device to outlive its parent gadget device when the gadget is disconnected. The persistent net_device leaves dangling sysfs links, which in turn triggers a null pointer dereference in kernel space and can cause a system crash. This failure results in a denial‑of‑service condition that would appear as a kernel panic or OOPS. The underlying weakness is an improper resource handling without proper synchronization, consistent with CWE‑825, and can lead to memory corruption and crash.

Affected Systems

All Linux kernel builds that contain the f_ncm driver and have not yet integrated the device_move patch are affected. The advisory does not list specific kernel versions, so any installation of a kernel that ships with the f_ncm module remains vulnerable until an updated image is deployed.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity. The EPSS score is currently unavailable and the vulnerability is not listed in CISA's KEV catalog. The likely attack vector is a local or physical attacker who can trigger USB gadget bind/unbind cycles or forcibly reconnect the gadget device to exercise this code path. No publicly documented exploits exist, but an attacker capable of inducing the conditions could crash the kernel and disrupt service.

Generated by OpenCVE AI on May 9, 2026 at 04:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a Linux kernel update that incorporates the device_move patch for the f_ncm driver.
  • If an upgrade is not yet possible, unload or disable the f_ncm driver when it is not required to avoid reconnection scenarios that trigger the faulty code path.
  • Monitor system logs for kernel OOPS or panic events related to the f_ncm driver and apply the patch promptly when available.

Generated by OpenCVE AI on May 9, 2026 at 04:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 03:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Fri, 08 May 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: Fix net_device lifecycle with device_move The network device outlived its parent gadget device during disconnection, resulting in dangling sysfs links and null pointer dereference problems. A prior attempt to solve this by removing SET_NETDEV_DEV entirely [1] was reverted due to power management ordering concerns and a NO-CARRIER regression. A subsequent attempt to defer net_device allocation to bind [2] broke 1:1 mapping between function instance and network device, making it impossible for configfs to report the resolved interface name. This results in a regression where the DHCP server fails on pmOS. Use device_move to reparent the net_device between the gadget device and /sys/devices/virtual/ across bind/unbind cycles. This preserves the network interface across USB reconnection, allowing the DHCP server to retain their binding. Introduce gether_attach_gadget()/gether_detach_gadget() helpers and use __free(detach_gadget) macro to undo attachment on bind failure. The bind_count ensures device_move executes only on the first bind. [1] https://lore.kernel.org/lkml/f2a4f9847617a0929d62025748384092e5f35cce.camel@crapouillou.net/ [2] https://lore.kernel.org/linux-usb/795ea759-7eaf-4f78-81f4-01ffbf2d7961@ixit.cz/
Title usb: gadget: f_ncm: Fix net_device lifecycle with device_move
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-08T14:21:56.363Z

Reserved: 2026-05-01T14:12:56.008Z

Link: CVE-2026-43421

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T15:16:54.173

Modified: 2026-05-08T15:16:54.173

Link: CVE-2026-43421

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43421 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T04:30:17Z

Weaknesses