* CVE-2026-43424: usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling
@ 2026-05-08 14:22 Greg Kroah-Hartman
0 siblings, 0 replies; only message in thread
From: Greg Kroah-Hartman @ 2026-05-08 14:22 UTC (permalink / raw)
To: linux-cve-announce; +Cc: Greg Kroah-Hartman
From: Greg Kroah-Hartman <gregkh@kernel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling
The `tpg->tpg_nexus` pointer in the USB Target driver is dynamically
managed and tied to userspace configuration via ConfigFS. It can be
NULL if the USB host sends requests before the nexus is fully
established or immediately after it is dropped.
Currently, functions like `bot_submit_command()` and the data
transfer paths retrieve `tv_nexus = tpg->tpg_nexus` and immediately
dereference `tv_nexus->tvn_se_sess` without any validation. If a
malicious or misconfigured USB host sends a BOT (Bulk-Only Transport)
command during this race window, it triggers a NULL pointer
dereference, leading to a kernel panic (local DoS).
This exposes an inconsistent API usage within the module, as peer
functions like `usbg_submit_command()` and `bot_send_bad_response()`
correctly implement a NULL check for `tv_nexus` before proceeding.
Fix this by bringing consistency to the nexus handling. Add the
missing `if (!tv_nexus)` checks to the vulnerable BOT command and
request processing paths, aborting the command gracefully with an
error instead of crashing the system.
The Linux kernel CVE team has assigned CVE-2026-43424 to this issue.
Affected and fixed versions
===========================
Issue introduced in 3.5 with commit c52661d60f636d17e26ad834457db333bd1df494 and fixed in 5.10.253 with commit b9b26d7f3aa288cfa54a7bc68612bab1f153f156
Issue introduced in 3.5 with commit c52661d60f636d17e26ad834457db333bd1df494 and fixed in 6.1.167 with commit 2a2ef846a54a06c33b5c2d4b0d918583e1e7c0b7
Issue introduced in 3.5 with commit c52661d60f636d17e26ad834457db333bd1df494 and fixed in 6.6.130 with commit d146f27758049fa55ae4c53785a852d3cf7a18d6
Issue introduced in 3.5 with commit c52661d60f636d17e26ad834457db333bd1df494 and fixed in 6.12.78 with commit f962ca3b020e13d6714f27e8c36fe742441c58d1
Issue introduced in 3.5 with commit c52661d60f636d17e26ad834457db333bd1df494 and fixed in 6.18.19 with commit 679d9535aeb15c10bce89c44102004b96624d706
Issue introduced in 3.5 with commit c52661d60f636d17e26ad834457db333bd1df494 and fixed in 6.19.9 with commit 3d309b37633c4a847fc149939a2c9576f1aa1065
Issue introduced in 3.5 with commit c52661d60f636d17e26ad834457db333bd1df494 and fixed in 7.0 with commit b9fde507355342a2d64225d582dc8b98ff5ecb19
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2026-43424
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/usb/gadget/function/f_tcm.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/b9b26d7f3aa288cfa54a7bc68612bab1f153f156
https://git.kernel.org/stable/c/2a2ef846a54a06c33b5c2d4b0d918583e1e7c0b7
https://git.kernel.org/stable/c/d146f27758049fa55ae4c53785a852d3cf7a18d6
https://git.kernel.org/stable/c/f962ca3b020e13d6714f27e8c36fe742441c58d1
https://git.kernel.org/stable/c/679d9535aeb15c10bce89c44102004b96624d706
https://git.kernel.org/stable/c/3d309b37633c4a847fc149939a2c9576f1aa1065
https://git.kernel.org/stable/c/b9fde507355342a2d64225d582dc8b98ff5ecb19
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2026-05-08 14:26 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-08 14:22 CVE-2026-43424: usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling Greg Kroah-Hartman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox