Description
In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling

The `tpg->tpg_nexus` pointer in the USB Target driver is dynamically
managed and tied to userspace configuration via ConfigFS. It can be
NULL if the USB host sends requests before the nexus is fully
established or immediately after it is dropped.

Currently, functions like `bot_submit_command()` and the data
transfer paths retrieve `tv_nexus = tpg->tpg_nexus` and immediately
dereference `tv_nexus->tvn_se_sess` without any validation. If a
malicious or misconfigured USB host sends a BOT (Bulk-Only Transport)
command during this race window, it triggers a NULL pointer
dereference, leading to a kernel panic (local DoS).

This exposes an inconsistent API usage within the module, as peer
functions like `usbg_submit_command()` and `bot_send_bad_response()`
correctly implement a NULL check for `tv_nexus` before proceeding.

Fix this by bringing consistency to the nexus handling. Add the
missing `if (!tv_nexus)` checks to the vulnerable BOT command and
request processing paths, aborting the command gracefully with an
error instead of crashing the system.
Published: 2026-05-08
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel USB target driver, the f_tcm gadget can dereference a pointer to a nexus structure, tpg->tpg_nexus, without checking that it is non‑NULL. If a USB host sends a Bulk‑Only Transport command while the nexus is still being established or immediately after it has been dropped, the driver accesses tv_nexus->tvn_se_sess on a NULL pointer, triggering a kernel panic that halts the system. The weakness is classified as CWE‑476.

Affected Systems

The flaw affects all Linux kernel releases in which the f_tcm gadget is compiled and enabled. The affected product listed in the CPE catalogue includes the generic linux_kernel platform, as well as kernel versions 7.0 releases candidate 1 through 4. All Linux distributions that ship a kernel containing the unpatched gadget are impacted, regardless of how the kernel is packaged.

Risk and Exploitability

The CVSS score of 5.5 reflects a moderate severity local denial of service. The EPSS score is below 1 % and the vulnerability is not listed in the CISA KEV catalog, indicating that it is currently considered low probability of widespread exploitation. Because the driver runs in kernel space, an attacker must physically connect a USB host capable of sending the vulnerable BOT command; remote exploitation is not possible. Exploitation requires a timing window between nexus creation or destruction, making the attack technically complex but not impossible if an adversary gains physical access to the device.

Generated by OpenCVE AI on May 20, 2026 at 20:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a revision that includes the patch adding the missing null checks to tpg_nexus handling in the f_tcm driver
  • If the f_tcm gadget is not required, disable it or remove it from ConfigFS so that no target device can be created
  • Monitor kernel logs for "Null Pointer" or "kernel panic" messages that may indicate an attempted race‑condition exploit

Generated by OpenCVE AI on May 20, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4606-1 linux security update
History

Wed, 20 May 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Wed, 20 May 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Sat, 09 May 2026 12:15:00 +0000

Type Values Removed Values Added
References

Fri, 08 May 2026 21:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-476

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling The `tpg->tpg_nexus` pointer in the USB Target driver is dynamically managed and tied to userspace configuration via ConfigFS. It can be NULL if the USB host sends requests before the nexus is fully established or immediately after it is dropped. Currently, functions like `bot_submit_command()` and the data transfer paths retrieve `tv_nexus = tpg->tpg_nexus` and immediately dereference `tv_nexus->tvn_se_sess` without any validation. If a malicious or misconfigured USB host sends a BOT (Bulk-Only Transport) command during this race window, it triggers a NULL pointer dereference, leading to a kernel panic (local DoS). This exposes an inconsistent API usage within the module, as peer functions like `usbg_submit_command()` and `bot_send_bad_response()` correctly implement a NULL check for `tv_nexus` before proceeding. Fix this by bringing consistency to the nexus handling. Add the missing `if (!tv_nexus)` checks to the vulnerable BOT command and request processing paths, aborting the command gracefully with an error instead of crashing the system.
Title usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:24:19.268Z

Reserved: 2026-05-01T14:12:56.008Z

Link: CVE-2026-43424

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T15:16:54.497

Modified: 2026-05-20T18:37:33.487

Link: CVE-2026-43424

cve-icon Redhat

Severity :

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43424 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T21:00:12Z

Weaknesses