Skip to main content

Linux Kernel EUVDEUVD-2026-28727

| CVE-2026-43421 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-08 Linux GHSA-w77g-4c35-prwp
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local vector and low privileges required to trigger USB gadget disconnect; purely availability impact with no confidentiality or integrity exposure.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
7.0 HIGH
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 19, 2026 - 16:01 vuln.today
CVSS changed
Jun 19, 2026 - 13:52 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:21 nvd
MEDIUM 5.5
CVE Published
May 08, 2026 - 14:21 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: f_ncm: Fix net_device lifecycle with device_move

The network device outlived its parent gadget device during disconnection, resulting in dangling sysfs links and null pointer dereference problems.

A prior attempt to solve this by removing SET_NETDEV_DEV entirely [1] was reverted due to power management ordering concerns and a NO-CARRIER regression.

A subsequent attempt to defer net_device allocation to bind [2] broke 1:1 mapping between function instance and network device, making it impossible for configfs to report the resolved interface name. This results in a regression where the DHCP server fails on pmOS.

Use device_move to reparent the net_device between the gadget device and /sys/devices/virtual/ across bind/unbind cycles. This preserves the network interface across USB reconnection, allowing the DHCP server to retain their binding.

Introduce gether_attach_gadget()/gether_detach_gadget() helpers and use __free(detach_gadget) macro to undo attachment on bind failure. The bind_count ensures device_move executes only on the first bind.

[1] https://lore.kernel.org/lkml/f2a4f9847617a0929d62025748384092e5f35cce.camel@crapouillou.net/ [2] https://lore.kernel.org/linux-usb/795ea759-7eaf-4f78-81f4-01ffbf2d7961@ixit.cz/

AnalysisAI

Null pointer dereference in the Linux kernel USB NCM gadget subsystem (f_ncm) causes kernel crashes during USB device disconnection cycles. The vulnerability stems from a net_device lifecycle management flaw where the network device outlives its parent gadget device, leaving dangling sysfs links that trigger null pointer dereferences. Systems acting as USB NCM gadgets - common in embedded Linux, postmarketOS, and USB tethering scenarios - are exposed to local denial-of-service conditions upon USB reconnection. No public exploit exists and EPSS stands at 0.02%, indicating very low exploitation probability; however, the bug can be triggered by any low-privileged local user on an affected configuration.

Technical ContextAI

The vulnerability resides in drivers/usb/gadget/function/f_ncm.c, the kernel's USB Network Control Model gadget implementation (CWE-476: NULL Pointer Dereference). When a USB gadget device is disconnected and reconnected, the net_device (representing the network interface) must be correctly reparented between the gadget device node and /sys/devices/virtual/. Prior fixes either removed SET_NETDEV_DEV (causing power management regressions) or deferred net_device allocation to bind time (breaking configfs interface name reporting and causing DHCP failures on pmOS). The root cause is a use-after-free/dangling pointer scenario: the net_device kobject retains a sysfs reference to the parent gadget device after that device is torn down, and subsequent access dereferences the now-invalid pointer. The fix uses device_move() to atomically reparent the net_device, introduces gether_attach_gadget()/gether_detach_gadget() lifecycle helpers, and uses a bind_count guard to ensure device_move executes only on the first bind. Affected CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:* across multiple stable branches from commit 40d133d7f542616cf9538508a372306e626a16e9.

RemediationAI

The primary fix is to upgrade to a patched Linux kernel version: 7.0, 6.19.9, 6.18.19, or 6.12.78, depending on the stable branch in use. Patches are available directly from the kernel stable tree at https://git.kernel.org/stable/c/ (commits 93f116c339, e584cb58a2, 85acaba2f4, and ec35c19696 for respective branches). Distribution maintainers running RHEL, Debian, Ubuntu, or postmarketOS should monitor their vendor security channels for backported fixes. As a compensating control where immediate kernel upgrade is not feasible, disabling or unloading the f_ncm USB gadget module (modprobe -r usb_f_ncm) will eliminate the attack surface entirely, at the cost of losing USB NCM tethering or gadget networking functionality. Systems not using USB gadget mode (i.e., standard workstations and servers) are unaffected and require no action. No workaround addresses the root cause; module removal is the only effective interim mitigation.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected

Share

EUVD-2026-28727 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy