GHSA-8459-CMH7-PX33
Vulnerability from github – Published: 2026-03-25 12:30 – Updated: 2026-03-25 12:30In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_ncm: align net_device lifecycle with bind/unbind
Currently, the net_device is allocated in ncm_alloc_inst() and freed in ncm_free_inst(). This ties the network interface's lifetime to the configuration instance rather than the USB connection (bind/unbind).
This decoupling causes issues when the USB gadget is disconnected where the underlying gadget device is removed. The net_device can outlive its parent, leading to dangling sysfs links and NULL pointer dereferences when accessing the freed gadget device.
Problem 1: NULL pointer dereference on disconnect Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Call trace: __pi_strlen+0x14/0x150 rtnl_fill_ifinfo+0x6b4/0x708 rtmsg_ifinfo_build_skb+0xd8/0x13c rtmsg_ifinfo+0x50/0xa0 __dev_notify_flags+0x4c/0x1f0 dev_change_flags+0x54/0x70 do_setlink+0x390/0xebc rtnl_newlink+0x7d0/0xac8 rtnetlink_rcv_msg+0x27c/0x410 netlink_rcv_skb+0x134/0x150 rtnetlink_rcv+0x18/0x28 netlink_unicast+0x254/0x3f0 netlink_sendmsg+0x2e0/0x3d4
Problem 2: Dangling sysfs symlinks console:/ # ls -l /sys/class/net/ncm0 lrwxrwxrwx ... /sys/class/net/ncm0 -> /sys/devices/platform/.../gadget.0/net/ncm0 console:/ # ls -l /sys/devices/platform/.../gadget.0/net/ncm0 ls: .../gadget.0/net/ncm0: No such file or directory
Move the net_device allocation to ncm_bind() and deallocation to ncm_unbind(). This ensures the network interface exists only when the gadget function is actually bound to a configuration.
To support pre-bind configuration (e.g., setting interface name or MAC address via configfs), cache user-provided options in f_ncm_opts using the gether_opts structure. Apply these cached settings to the net_device upon creation in ncm_bind().
Preserve the use-after-free fix from commit 6334b8e4553c ("usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error"). Check opts->net in ncm_set_alt() and ncm_disable() to ensure gether_disconnect() runs only if a connection was established.
{
"affected": [],
"aliases": [
"CVE-2026-23320"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-25T11:16:28Z",
"severity": null
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_ncm: align net_device lifecycle with bind/unbind\n\nCurrently, the net_device is allocated in ncm_alloc_inst() and freed in\nncm_free_inst(). This ties the network interface\u0027s lifetime to the\nconfiguration instance rather than the USB connection (bind/unbind).\n\nThis decoupling causes issues when the USB gadget is disconnected where\nthe underlying gadget device is removed. The net_device can outlive its\nparent, leading to dangling sysfs links and NULL pointer dereferences\nwhen accessing the freed gadget device.\n\nProblem 1: NULL pointer dereference on disconnect\n Unable to handle kernel NULL pointer dereference at virtual address\n 0000000000000000\n Call trace:\n __pi_strlen+0x14/0x150\n rtnl_fill_ifinfo+0x6b4/0x708\n rtmsg_ifinfo_build_skb+0xd8/0x13c\n rtmsg_ifinfo+0x50/0xa0\n __dev_notify_flags+0x4c/0x1f0\n dev_change_flags+0x54/0x70\n do_setlink+0x390/0xebc\n rtnl_newlink+0x7d0/0xac8\n rtnetlink_rcv_msg+0x27c/0x410\n netlink_rcv_skb+0x134/0x150\n rtnetlink_rcv+0x18/0x28\n netlink_unicast+0x254/0x3f0\n netlink_sendmsg+0x2e0/0x3d4\n\nProblem 2: Dangling sysfs symlinks\n console:/ # ls -l /sys/class/net/ncm0\n lrwxrwxrwx ... /sys/class/net/ncm0 -\u003e\n /sys/devices/platform/.../gadget.0/net/ncm0\n console:/ # ls -l /sys/devices/platform/.../gadget.0/net/ncm0\n ls: .../gadget.0/net/ncm0: No such file or directory\n\nMove the net_device allocation to ncm_bind() and deallocation to\nncm_unbind(). This ensures the network interface exists only when the\ngadget function is actually bound to a configuration.\n\nTo support pre-bind configuration (e.g., setting interface name or MAC\naddress via configfs), cache user-provided options in f_ncm_opts\nusing the gether_opts structure. Apply these cached settings to the\nnet_device upon creation in ncm_bind().\n\nPreserve the use-after-free fix from commit 6334b8e4553c (\"usb: gadget:\nf_ncm: Fix UAF ncm object at re-bind after usb ep transport error\").\nCheck opts-\u003enet in ncm_set_alt() and ncm_disable() to ensure\ngether_disconnect() runs only if a connection was established.",
"id": "GHSA-8459-cmh7-px33",
"modified": "2026-03-25T12:30:22Z",
"published": "2026-03-25T12:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23320"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/188338c1827842f898761a939669cf345bdf07e2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/56a512a9b4107079f68701e7d55da8507eb963d9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b62076e780a2121903ecf9ffdfb89c64647cb7da"
}
],
"schema_version": "1.4.0",
"severity": []
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.