CVE-2026-43422 - Vulnerability Details

- usb: legacy: ncm: Fix NPE in gncm_bind

Description

In the Linux kernel, the following vulnerability has been resolved:

usb: legacy: ncm: Fix NPE in gncm_bind

Commit 56a512a9b410 ("usb: gadget: f_ncm: align net_device lifecycle
with bind/unbind") deferred the allocation of the net_device. This
change leads to a NULL pointer dereference in the legacy NCM driver as
it attempts to access the net_device before it's fully instantiated.

Store the provided qmult, host_addr, and dev_addr into the struct
ncm_opts->net_opts during gncm_bind(). These values will be properly
applied to the net_device when it is allocated and configured later in
the binding process by the NCM function driver.

Published: 2026-05-08

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises from a null pointer dereference in the Linux kernel NCM gadget driver during the gncm_bind process. When the driver attempts to access a net_device before it has been fully instantiated, the kernel may crash. This crash can lead to a denial of service, potentially disrupting system stability and availability. The flaw is an internal driver bug and does not directly grant remote code execution or data exposure.

Affected Systems

All Linux kernel versions that contain the legacy NCM driver before the applied patch are affected. No specific CVE‑affected kernel releases are listed; the issue applies to any kernel build that compiles the NCM gadget modules without the fix. Users operating recent kernels that have not incorporated the commit addressing the null pointer dereference remain vulnerable.

Risk and Exploitability

The CVSS score is not provided, and the EPSS score is unavailable, so the exploitation probability is uncertain. The vulnerability is not listed in CISA’s KEV catalog. Attackers would need to trigger gncm_bind, which occurs when the NCM gadget driver is loaded, commonly when a USB device is connected. Although the attack vector is likely local or device‑centric, the kernel crash could still lead to a denial of service. No public exploit is known, and the issue was resolved by the referenced commit.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`b62076e780a2121903ecf9ffdfb89c64647cb7da`	affected	< be5738d19bed244ede84da45bc45395bcb1d99e0
`188338c1827842f898761a939669cf345bdf07e2`	affected	< b23e86a3a15803c3dcb24701285f73e65099fdf9
`56a512a9b4107079f68701e7d55da8507eb963d9`	affected	< fde0634ad9856b3943a2d1a8cc8de174a63ac840

Linux

unaffected

Version	Status	Constraints
`6.18.17`	affected	< 6.18.19
`6.19.7`	affected	< 6.19.9

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[b62076e780a2121903ecf9ffdfb89c64647cb7da,be5738d19bed244ede84da45bc45395bcb1d99e0)`	affected	code_commit	—
`[188338c1827842f898761a939669cf345bdf07e2,b23e86a3a15803c3dcb24701285f73e65099fdf9)`	affected	code_commit	—
`[56a512a9b4107079f68701e7d55da8507eb963d9,fde0634ad9856b3943a2d1a8cc8de174a63ac840)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[6.18.17,6.18.19)`	affected	semver	—
`[6.19.7,6.19.9)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Linux kernel update that incorporates commit 56a512a9b410, which allocates the net_device before it is accessed.
If the system does not require the NCM gadget driver, disable or remove the driver module to eliminate the attack surface.
If the driver is required, rebuild and deploy a kernel that includes this commit by applying the change to gncm_bind in custom builds or in your distribution’s kernel patch set.

Generated by OpenCVE AI on May 9, 2026 at 13:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/b23e86a3a15803c3dcb24701285f73e65099fdf9
https://git.kernel.org/stable/c/be5738d19bed244ede84da45bc45395bcb1d99e0
https://git.kernel.org/stable/c/fde0634ad9856b3943a2d1a8cc8de174a63ac840
https://lore.kernel.org/linux-cve-announce/2026050847-CVE-2026-43422-6042@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43422
https://www.cve.org/CVERecord?id=CVE-2026-43422

History

Sat, 09 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-824
References		https://lore.kernel.org/linux-cve-announce/2026050847-CVE-2026-43422-6042@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43422 https://www.cve.org/CVERecord?id=CVE-2026-43422

Fri, 08 May 2026 19:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476

Fri, 08 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: usb: legacy: ncm: Fix NPE in gncm_bind Commit 56a512a9b410 ("usb: gadget: f_ncm: align net_device lifecycle with bind/unbind") deferred the allocation of the net_device. This change leads to a NULL pointer dereference in the legacy NCM driver as it attempts to access the net_device before it's fully instantiated. Store the provided qmult, host_addr, and dev_addr into the struct ncm_opts->net_opts during gncm_bind(). These values will be properly applied to the net_device when it is allocated and configured later in the binding process by the NCM function driver.
Title		usb: legacy: ncm: Fix NPE in gncm_bind
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/b23e86a3a15803c3dcb24701285f73e65099fdf9 https://git.kernel.org/stable/c/be5738d19bed244ede84da45bc45395bcb1d99e0 https://git.kernel.org/stable/c/fde0634ad9856b3943a2d1a8cc8de174a63ac840

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-08T14:21:57.031Z

Updated: 2026-05-08T14:21:57.031Z

Reserved: 2026-05-01T14:12:56.008Z

Link: CVE-2026-43422

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-08T15:16:54.290

Modified: 2026-05-08T15:16:54.290

Link: CVE-2026-43422

Redhat

Severity :

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43422 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-09T13:30:34Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object