CVE-2026-43424 - Vulnerability Details

- usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling

Description

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling

The `tpg->tpg_nexus` pointer in the USB Target driver is dynamically
managed and tied to userspace configuration via ConfigFS. It can be
NULL if the USB host sends requests before the nexus is fully
established or immediately after it is dropped.

Currently, functions like `bot_submit_command()` and the data
transfer paths retrieve `tv_nexus = tpg->tpg_nexus` and immediately
dereference `tv_nexus->tvn_se_sess` without any validation. If a
malicious or misconfigured USB host sends a BOT (Bulk-Only Transport)
command during this race window, it triggers a NULL pointer
dereference, leading to a kernel panic (local DoS).

This exposes an inconsistent API usage within the module, as peer
functions like `usbg_submit_command()` and `bot_send_bad_response()`
correctly implement a NULL check for `tv_nexus` before proceeding.

Fix this by bringing consistency to the nexus handling. Add the
missing `if (!tv_nexus)` checks to the vulnerable BOT command and
request processing paths, aborting the command gracefully with an
error instead of crashing the system.

Published: 2026-05-08

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel, the f_tcm USB target driver can dereference a pointer that is expected to reference a nexus structure, "tpg->tpg_nexus", without verifying that it is non‑NULL. When a USB host sends a Bulk‑Only Transport command during the brief race window before the nexus is fully established or immediately after it is dropped, the driver dereferences a NULL pointer, causing a kernel panic. The effect is a local denial of service that brings the kernel process table to an unrecoverable state.

Affected Systems

The flaw exists in the Linux kernel’s USB target driver across all releases in which the f_tcm gadget is enabled. The affected vendor is Linux; the impact is on all Linux kernel versions that contain the unpatched gadget, regardless of distribution. No specific version numbers are provided in this advisory.

Risk and Exploitability

The vulnerability is exploitable only by a malicious or misconfigured USB host that can send BOT commands during the race window. Because it is a local kernel panic, physical access to the device is required. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, but its impact is high enough that any attack that succeeds will bring the system down. The missing null checks contrast with correctly handled functions such as usbg_submit_command, so the attack vector is an unguarded path in the driver.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`c52661d60f636d17e26ad834457db333bd1df494`	affected	< b9b26d7f3aa288cfa54a7bc68612bab1f153f156
`c52661d60f636d17e26ad834457db333bd1df494`	affected	< 2a2ef846a54a06c33b5c2d4b0d918583e1e7c0b7
`c52661d60f636d17e26ad834457db333bd1df494`	affected	< d146f27758049fa55ae4c53785a852d3cf7a18d6
`c52661d60f636d17e26ad834457db333bd1df494`	affected	< f962ca3b020e13d6714f27e8c36fe742441c58d1
`c52661d60f636d17e26ad834457db333bd1df494`	affected	< 679d9535aeb15c10bce89c44102004b96624d706
`c52661d60f636d17e26ad834457db333bd1df494`	affected	< 3d309b37633c4a847fc149939a2c9576f1aa1065
`c52661d60f636d17e26ad834457db333bd1df494`	affected	< b9fde507355342a2d64225d582dc8b98ff5ecb19

Linux

affected

Version	Status	Constraints
`3.5`	affected	—
`0`	unaffected	< 3.5
`5.10.253`	unaffected	≤ 5.10.*
`6.1.167`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.78`	unaffected	≤ 6.12.*
`6.18.19`	unaffected	≤ 6.18.*
`6.19.9`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[c52661d60f636d17e26ad834457db333bd1df494,b9b26d7f3aa288cfa54a7bc68612bab1f153f156)`	affected	code_commit	—
`[c52661d60f636d17e26ad834457db333bd1df494,2a2ef846a54a06c33b5c2d4b0d918583e1e7c156)`	affected	code_commit	—
`[c52661d60f636d17e26ad834457db333bd1df494,d146f27758049fa55ae4c53785a852d3cf7a18d6)`	affected	code_commit	—
`[c52661d60f636d17e26ad834457db333bd1df494,f962ca3b020e13d6714f27e8c36fe742441c58d1)`	affected	code_commit	—
`[c52661d60f636d17e26ad834457db333bd1df494,679d9535aeb15c10bce89c44102004b96624d706)`	affected	code_commit	—
`[c52661d60f636d17e26ad834457db333bd1df494,3d309b37633c4a847fc149939a2c9576f1aa1065)`	affected	code_commit	—
`[c52661d60f636d17e26ad834457db333bd1df494,b9fde507355342a2d64225d582dc8b98ff5ecb19)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`3.5`	affected	generic	—
`[0,3.5)`	unaffected	semver	—
`[5.10.253,5.11.0]`	unaffected	semver	—
`[6.1.167,6.2.0]`	unaffected	semver	—
`[6.6.130,6.7.0]`	unaffected	semver	—
`[6.12.78,6.13.0]`	unaffected	semver	—
`[6.18.19,6.19.0]`	unaffected	semver	—
`[6.19.9,6.20.0]`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a revision that includes the patch which adds null‑check validation to tpg_nexus handling in the f_tcm driver
If the f_tcm gadget is not required in your environment, disable it or limit its use to trusted devices through device‑mode or ConfigFS configuration
Optionally, monitor kernel logs for "Null Pointer" or "kernel panic" entries that could indicate a race condition exploit

Generated by OpenCVE AI on May 8, 2026 at 20:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00024.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/2a2ef846a54a06c33b5c2d4b0d918583e1e7c0b7
https://git.kernel.org/stable/c/3d309b37633c4a847fc149939a2c9576f1aa1065
https://git.kernel.org/stable/c/679d9535aeb15c10bce89c44102004b96624d706
https://git.kernel.org/stable/c/b9b26d7f3aa288cfa54a7bc68612bab1f153f156
https://git.kernel.org/stable/c/b9fde507355342a2d64225d582dc8b98ff5ecb19
https://git.kernel.org/stable/c/d146f27758049fa55ae4c53785a852d3cf7a18d6
https://git.kernel.org/stable/c/f962ca3b020e13d6714f27e8c36fe742441c58d1
https://lore.kernel.org/linux-cve-announce/2026050848-CVE-2026-43424-0d0d@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43424
https://www.cve.org/CVERecord?id=CVE-2026-43424

History

Sat, 09 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026050848-CVE-2026-43424-0d0d@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43424 https://www.cve.org/CVERecord?id=CVE-2026-43424

Fri, 08 May 2026 21:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-362 CWE-476

Fri, 08 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling The `tpg->tpg_nexus` pointer in the USB Target driver is dynamically managed and tied to userspace configuration via ConfigFS. It can be NULL if the USB host sends requests before the nexus is fully established or immediately after it is dropped. Currently, functions like `bot_submit_command()` and the data transfer paths retrieve `tv_nexus = tpg->tpg_nexus` and immediately dereference `tv_nexus->tvn_se_sess` without any validation. If a malicious or misconfigured USB host sends a BOT (Bulk-Only Transport) command during this race window, it triggers a NULL pointer dereference, leading to a kernel panic (local DoS). This exposes an inconsistent API usage within the module, as peer functions like `usbg_submit_command()` and `bot_send_bad_response()` correctly implement a NULL check for `tv_nexus` before proceeding. Fix this by bringing consistency to the nexus handling. Add the missing `if (!tv_nexus)` checks to the vulnerable BOT command and request processing paths, aborting the command gracefully with an error instead of crashing the system.
Title		usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/2a2ef846a54a06c33b5c2d4b0d918583e1e7c0b7 https://git.kernel.org/stable/c/3d309b37633c4a847fc149939a2c9576f1aa1065 https://git.kernel.org/stable/c/679d9535aeb15c10bce89c44102004b96624d706 https://git.kernel.org/stable/c/b9b26d7f3aa288cfa54a7bc68612bab1f153f156 https://git.kernel.org/stable/c/b9fde507355342a2d64225d582dc8b98ff5ecb19 https://git.kernel.org/stable/c/d146f27758049fa55ae4c53785a852d3cf7a18d6 https://git.kernel.org/stable/c/f962ca3b020e13d6714f27e8c36fe742441c58d1

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-08T14:21:58.365Z

Updated: 2026-05-08T14:21:58.365Z

Reserved: 2026-05-01T14:12:56.008Z

Link: CVE-2026-43424

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-08T15:16:54.497

Modified: 2026-05-08T15:16:54.497

Link: CVE-2026-43424

Redhat

Severity :

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43424 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-08T22:15:18Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object