CVE-2026-23320
Use-After-Free and NULL Pointer Dereference in Linux USB f_ncm Gadget
Publication date: 2026-03-25
Last updated on: 2026-04-03
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's USB gadget function f_ncm, where the lifecycle of the network device (net_device) is not properly aligned with the USB connection's bind and unbind events.
Specifically, the net_device is allocated and freed tied to the configuration instance rather than the actual USB connection. This causes the net_device to potentially outlive its parent gadget device when the USB gadget is disconnected.
As a result, this can lead to two main problems: a NULL pointer dereference on disconnect, causing kernel crashes, and dangling sysfs symbolic links pointing to non-existent device entries.
The fix involves moving the allocation and deallocation of the net_device to the USB bind and unbind functions, ensuring the network interface only exists while the gadget function is bound.
How can this vulnerability impact me? :
This vulnerability can cause system instability or crashes due to NULL pointer dereferences when the USB gadget device is disconnected.
Additionally, it can leave dangling symbolic links in the sysfs filesystem, which may confuse system management tools or scripts that rely on these links to represent device states.
Overall, it can lead to unexpected behavior or failures in USB network gadget functionality, potentially disrupting network connectivity or device management.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by observing kernel NULL pointer dereference errors related to the USB gadget f_ncm function, especially on disconnect events. One symptom is kernel crashes with call traces involving rtnl_fill_ifinfo and related network device functions.
Additionally, dangling sysfs symlinks can be checked by listing the network device symbolic links under /sys/class/net and verifying if their targets exist.
- Check for dangling sysfs symlinks with: ls -l /sys/class/net/ncm0 and then ls -l on the target path to see if it exists.
- Monitor kernel logs (e.g., dmesg) for NULL pointer dereference errors related to f_ncm or net_device lifecycle issues.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves updating the Linux kernel to a version where the net_device lifecycle for the f_ncm USB gadget function is properly aligned with the bind/unbind events.
This fix moves net_device allocation to ncm_bind() and deallocation to ncm_unbind(), preventing the net_device from outliving its parent gadget device and avoiding NULL pointer dereferences and dangling sysfs links.
Until an update is applied, avoid disconnecting USB gadgets using the f_ncm function abruptly, and monitor system logs for related errors.