Description
In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: f_ncm: Fix atomic context locking issue

The ncm_set_alt function was holding a mutex to protect against races
with configfs, which invokes the might-sleep function inside an atomic
context.

Remove the struct net_device pointer from the f_ncm_opts structure to
eliminate the contention. The connection state is now managed by a new
boolean flag to preserve the use-after-free fix from
commit 6334b8e4553c ("usb: gadget: f_ncm: Fix UAF ncm object at re-bind
after usb ep transport error").

BUG: sleeping function called from invalid context
Call Trace:
dump_stack_lvl+0x83/0xc0
dump_stack+0x14/0x16
__might_resched+0x389/0x4c0
__might_sleep+0x8e/0x100
...
__mutex_lock+0x6f/0x1740
...
ncm_set_alt+0x209/0xa40
set_config+0x6b6/0xb40
composite_setup+0x734/0x2b40
...
Published: 2026-05-08
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The bug exists in the USB Network Controller Model (NCM) gadget driver of the Linux kernel. The ncm_set_alt function held a mutex to protect against races with configfs, but the mutex path calls a might‑sleep routine that is forbidden in atomic context, which is a classic instance of the concurrency control weakness described by CWE‑663 (Improper Locking) and the atomic context misuse described by CWE‑667 (Invalid Access to Sleep‑Prone Resource). This misuse can trigger a “sleeping function called from invalid context” fault, leading the kernel to panic or crash, which effectively results in an abrupt loss of service for processes relying on the USB gadget subsystem.

Affected Systems

All Linux kernel releases that contain the pre‑fixed f_ncm driver code, as indicated by the listed CPEs, are vulnerable. The patch removes the mutex usage and replaces it with a boolean flag for connection state. Kernel builds that incorporate the commit that eliminates the atomic context violation are not affected, while older distributions or custom kernels without the update remain susceptible.

Risk and Exploitability

Based on the description, it is inferred that a local privileged user or an attacker controlling a USB gadget device could trigger the fault by exercising the ncm_set_alt path. The CVSS score of 5.5 reflects moderate impact, and the EPSS score of <1% indicates a low probability of exploitation in the wild. The vulnerability is not listed in CISA KEV, and no publicly available exploitation code is known.

Generated by OpenCVE AI on May 26, 2026 at 17:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a release containing the commit that removes the mutex usage in ncm_set_alt and introduces the boolean flag.
  • Disable or unload the ncm gadget module if USB NCM functionality is not required, either by editing the kernel configuration or by using modprobe -r at runtime.
  • Monitor kernel logs (e.g., dmesg or /var/log/kern.log) for “sleeping function called from invalid context” messages or kernel panics linked to USB gadget drivers and apply the patch as soon as an updated kernel becomes available.

Generated by OpenCVE AI on May 26, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 13:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-667
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Sat, 09 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Sat, 09 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-663
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 08 May 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: Fix atomic context locking issue The ncm_set_alt function was holding a mutex to protect against races with configfs, which invokes the might-sleep function inside an atomic context. Remove the struct net_device pointer from the f_ncm_opts structure to eliminate the contention. The connection state is now managed by a new boolean flag to preserve the use-after-free fix from commit 6334b8e4553c ("usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error"). BUG: sleeping function called from invalid context Call Trace: dump_stack_lvl+0x83/0xc0 dump_stack+0x14/0x16 __might_resched+0x389/0x4c0 __might_sleep+0x8e/0x100 ... __mutex_lock+0x6f/0x1740 ... ncm_set_alt+0x209/0xa40 set_config+0x6b6/0xb40 composite_setup+0x734/0x2b40 ...
Title usb: gadget: f_ncm: Fix atomic context locking issue
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:24:18.117Z

Reserved: 2026-05-01T14:12:56.008Z

Link: CVE-2026-43423

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T15:16:54.390

Modified: 2026-05-22T17:44:46.243

Link: CVE-2026-43423

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43423 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T18:00:14Z

Weaknesses