Skip to main content

Linux Kernel CVE-2026-43424

| EUVDEUVD-2026-28730 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-08 Linux GHSA-rx37-q58j-c4c7
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 20, 2026 - 18:53 vuln.today
CVSS changed
May 20, 2026 - 18:52 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:21 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling

The tpg->tpg_nexus pointer in the USB Target driver is dynamically managed and tied to userspace configuration via ConfigFS. It can be NULL if the USB host sends requests before the nexus is fully established or immediately after it is dropped.

Currently, functions like bot_submit_command() and the data transfer paths retrieve tv_nexus = tpg->tpg_nexus and immediately dereference tv_nexus->tvn_se_sess without any validation. If a malicious or misconfigured USB host sends a BOT (Bulk-Only Transport) command during this race window, it triggers a NULL pointer dereference, leading to a kernel panic (local DoS).

This exposes an inconsistent API usage within the module, as peer functions like usbg_submit_command() and bot_send_bad_response() correctly implement a NULL check for tv_nexus before proceeding.

Fix this by bringing consistency to the nexus handling. Add the missing if (!tv_nexus) checks to the vulnerable BOT command and request processing paths, aborting the command gracefully with an error instead of crashing the system.

AnalysisAI

NULL pointer dereference in the Linux kernel's USB gadget f_tcm (USB Target Controller Module) driver allows an authenticated local attacker with USB host access to trigger a kernel panic by sending Bulk-Only Transport (BOT) commands during a race window where the ConfigFS-managed nexus pointer is uninitialized or torn down. Affected systems are those acting as USB gadgets - primarily embedded devices and single-board computers - running kernel versions from commit c52661d60f636d17e26ad834457db333bd1df494 onward without the applied fix. No public exploit exists and the vulnerability is absent from CISA KEV; EPSS of 0.02% (7th percentile) confirms negligible observed exploitation activity.

Technical ContextAI

The flaw resides in the Linux kernel's USB gadget subsystem, specifically in the f_tcm driver (drivers/usb/gadget/function/f_tcm.c), which implements USB Mass Storage using the Bulk-Only Transport protocol backed by a SCSI target engine. The tpg->tpg_nexus pointer represents the binding between a USB host session and the SCSI target processing context; it is dynamically created and destroyed through ConfigFS userspace configuration. Functions bot_submit_command() and associated data transfer paths fetch tv_nexus = tpg->tpg_nexus and immediately dereference tv_nexus->tvn_se_sess without a NULL guard - a textbook CWE-476 (NULL Pointer Dereference) flaw. Peer functions usbg_submit_command() and bot_send_bad_response() in the same driver already perform correct NULL validation, making this an internal API inconsistency introduced at commit c52661d60f636d17e26ad834457db333bd1df494. Affected products are identified via CPE cpe:2.3:a:linux:linux:*.

RemediationAI

Upgrade to a patched Linux kernel version: 5.10.253, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, or 7.0, as confirmed by EUVD-2026-28730. The upstream fixes are available via the following stable kernel commits at git.kernel.org: b9b26d7f3aa288cfa54a7bc68612bab1f153f156, 2a2ef846a54a06c33b5c2d4b0d918583e1e7c0b7, d146f27758049fa55ae4c53785a852d3cf7a18d6, f962ca3b020e13d6714f27e8c36fe742441c58d1, 679d9535aeb15c10bce89c44102004b96624d706, 3d309b37633c4a847fc149939a2c9576f1aa1065, and b9fde507355342a2d64225d582dc8b98ff5ecb19. For systems that cannot be patched immediately, unload or blacklist the usb_f_tcm module (modprobe -r usb_f_tcm and add it to /etc/modprobe.d/blacklist.conf) if USB Target gadget functionality is not operationally required - this eliminates the attack surface entirely, with the trade-off of losing USB Mass Storage gadget capability. On systems where the gadget must remain active, restrict physical USB host access to the device and ensure ConfigFS nexus configuration completes fully before the gadget interface is exposed to any untrusted USB host.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43424 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy