CVE-2026-43421
Undergoing Analysis Undergoing Analysis - In Progress
USB Gadget NCM Net Device Lifecycle Fix

Publication date: 2026-05-08

Last updated on: 2026-05-22

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: Fix net_device lifecycle with device_move The network device outlived its parent gadget device during disconnection, resulting in dangling sysfs links and null pointer dereference problems. A prior attempt to solve this by removing SET_NETDEV_DEV entirely [1] was reverted due to power management ordering concerns and a NO-CARRIER regression. A subsequent attempt to defer net_device allocation to bind [2] broke 1:1 mapping between function instance and network device, making it impossible for configfs to report the resolved interface name. This results in a regression where the DHCP server fails on pmOS. Use device_move to reparent the net_device between the gadget device and /sys/devices/virtual/ across bind/unbind cycles. This preserves the network interface across USB reconnection, allowing the DHCP server to retain their binding. Introduce gether_attach_gadget()/gether_detach_gadget() helpers and use __free(detach_gadget) macro to undo attachment on bind failure. The bind_count ensures device_move executes only on the first bind. [1] https://lore.kernel.org/lkml/[email protected]/ [2] https://lore.kernel.org/linux-usb/[email protected]/
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-22
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-43421
EUVD
EUVD-2026-28727
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.19 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.9 (exc)
linux linux_kernel From 3.11 (inc) to 6.12.78 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's USB gadget function for network control model (f_ncm). It occurs because the network device (net_device) outlives its parent gadget device during disconnection, which leads to dangling sysfs links and null pointer dereference issues.

Previous attempts to fix this problem either caused regressions related to power management or broke the one-to-one mapping between the function instance and the network device, which affected DHCP server functionality.

The final fix uses device_move to reparent the net_device between the gadget device and /sys/devices/virtual/ during bind and unbind cycles. This preserves the network interface across USB reconnections and allows the DHCP server to maintain its binding.

Impact Analysis

This vulnerability can cause system instability due to null pointer dereferences when the network device outlives its parent gadget device during USB disconnection.

It can also lead to dangling sysfs links, which may cause unexpected behavior or errors in system management tools.

Additionally, improper handling of the network device lifecycle can break DHCP server functionality, potentially disrupting network connectivity on affected systems.

Mitigation Strategies

The vulnerability has been resolved in the Linux kernel by fixing the net_device lifecycle with device_move to properly reparent the network device between the gadget device and /sys/devices/virtual/ across bind/unbind cycles.

To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43421. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart