Description
In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: f_ncm: Fix atomic context locking issue

The ncm_set_alt function was holding a mutex to protect against races
with configfs, which invokes the might-sleep function inside an atomic
context.

Remove the struct net_device pointer from the f_ncm_opts structure to
eliminate the contention. The connection state is now managed by a new
boolean flag to preserve the use-after-free fix from
commit 6334b8e4553c ("usb: gadget: f_ncm: Fix UAF ncm object at re-bind
after usb ep transport error").

BUG: sleeping function called from invalid context
Call Trace:
dump_stack_lvl+0x83/0xc0
dump_stack+0x14/0x16
__might_resched+0x389/0x4c0
__might_sleep+0x8e/0x100
...
__mutex_lock+0x6f/0x1740
...
ncm_set_alt+0x209/0xa40
set_config+0x6b6/0xb40
composite_setup+0x734/0x2b40
...
Published: 2026-05-08
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises in the USB NCM gadget driver of the Linux kernel. The function ncm_set_alt originally held a mutex to prevent race conditions with configfs. However, the mutex lock path calls might‑sleep, which is disallowed in an atomic context. This discrepancy can trigger a kernel fault, causing the system to panic or crash when a USB gadget configuration is changed. The weakness is a race condition that can lead to denial of service; an attacker with local or privileged access to the USB gadget subsystem could force an improper sleep call, resulting in an unavailable or compromised system.

Affected Systems

Affected are all Linux kernel releases that include the unpatched f_ncm driver code. The fix was introduced in the commit referenced by the advisory's diff links. Any deployed kernel prior to those changes, regardless of distribution, inherits this bug. The vulnerability does not apply to modern kernels that have incorporated the corrected implementation, where the mutex reference has been removed and a boolean flag manages connection state.

Risk and Exploitability

Because the flaw manifests under an atomic context and requires manipulating the USB gadget configuration, it is a local-user or privileged-level denial of service scenario. The CVSS score is 7.0, the EPSS score is 0.00017 (indicating very low exploitation probability), and it is not listed in the CISA KEV catalog. Attackers would need to trigger the buggy ncm_set_alt path, typically via a configured USB gadget device. No publicly known exploits exist, so the risk is primarily theoretical, contingent upon the presence of the unpatched driver.

Generated by OpenCVE AI on May 9, 2026 at 15:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the commit that removes the mutex usage in ncm_set_alt and introduces the boolean connection flag.
  • If an immediate kernel upgrade is not possible, disable or remove the ncm gadget module from the system to eliminate the attack surface.
  • After applying the fix, verify that no processes or services rely on the NCM gadget; monitor kernel logs for any remaining crash events caused by configuration changes.

Generated by OpenCVE AI on May 9, 2026 at 15:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Sat, 09 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-663
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 08 May 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: Fix atomic context locking issue The ncm_set_alt function was holding a mutex to protect against races with configfs, which invokes the might-sleep function inside an atomic context. Remove the struct net_device pointer from the f_ncm_opts structure to eliminate the contention. The connection state is now managed by a new boolean flag to preserve the use-after-free fix from commit 6334b8e4553c ("usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error"). BUG: sleeping function called from invalid context Call Trace: dump_stack_lvl+0x83/0xc0 dump_stack+0x14/0x16 __might_resched+0x389/0x4c0 __might_sleep+0x8e/0x100 ... __mutex_lock+0x6f/0x1740 ... ncm_set_alt+0x209/0xa40 set_config+0x6b6/0xb40 composite_setup+0x734/0x2b40 ...
Title usb: gadget: f_ncm: Fix atomic context locking issue
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-08T14:21:57.683Z

Reserved: 2026-05-01T14:12:56.008Z

Link: CVE-2026-43423

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T15:16:54.390

Modified: 2026-05-08T15:16:54.390

Link: CVE-2026-43423

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43423 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T16:00:13Z

Weaknesses