From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0D39C3F1640 for ; Fri, 8 May 2026 14:26:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778250390; cv=none; b=Qx4zkGbVUFnwCQCOJOcF9HfIx0n70hrbGY1SrA37o3Rj3eQ4RMZA/S6rx5HE16eH08qNA0+kNFsQxaAdid8WCKWJ62p09prF7tBhAVsafynjoO1qATFbkMl06QL6pszqXx/EOlv0Z2SMy171Oz333qGVCZRMCIOF0Bm6LEQYRD0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778250390; c=relaxed/simple; bh=O8yVhh+tlX2ofhYYAjWj5XvovG+Ix8YS5/uultYT8Pw=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=MovlsV/cIVTseyKtcbj+HVyAnJpXy2LgXhJHBsIAtaIh6Sn4TpSPk5KsoF8GmejZNUE1kVG6e/L1JKmhQsUmhqkMElY2Dl6D0gzRILm+nmGG11TMpWfw7hgYVa1wzppxxB+Bjvq49RDGwQpindVigegKT/2MxmU3/thFAzPR7kA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=lA+Y5I+5; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="lA+Y5I+5" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 22092C2BCB0; Fri, 8 May 2026 14:26:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1778250389; bh=O8yVhh+tlX2ofhYYAjWj5XvovG+Ix8YS5/uultYT8Pw=; h=From:To:Cc:Subject:Date:Reply-To:From; b=lA+Y5I+50593Zgops+dnAIv7HbSgmR97OE8VxLYJ24HIYY2vFimQGzJQpP6eQosBs Junb004qnDRsH1j2aVt5rkCZ0Jihp0ve4JjBjk1M01H6ncMjz1uxmT2GpDd1WQjED9 Vcsw4dOfLcG8NKApBhnnErFlrYesP0KJ5ZXyHTY0= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2026-43424: usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling Date: Fri, 8 May 2026 16:22:33 +0200 Message-ID: <2026050848-CVE-2026-43424-0d0d@gregkh> X-Mailer: git-send-email 2.54.0 Reply-To: , Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=4005; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=FK6tP1MHf2b5I73mmoHx2aytP/czyw/4W1dUf97e7Yk=; b=owGbwMvMwCRo6H6F97bub03G02pJDJl/P9bwFCYnxar8Y/0wJX/2VxntZ5Mn/6xdx7lS+mCcQ 82iB+v4OmJZGASZGGTFFFm+bOM5ur/ikKKXoe1pmDmsTCBDGLg4BWAi2c8YFlzKuPBk13v1C9WH 95xrmCSrt5n/OCPDPPWykHXBF1v9nk6c/lvWjmctC8sxBgA= X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit From: Greg Kroah-Hartman Description =========== In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling The `tpg->tpg_nexus` pointer in the USB Target driver is dynamically managed and tied to userspace configuration via ConfigFS. It can be NULL if the USB host sends requests before the nexus is fully established or immediately after it is dropped. Currently, functions like `bot_submit_command()` and the data transfer paths retrieve `tv_nexus = tpg->tpg_nexus` and immediately dereference `tv_nexus->tvn_se_sess` without any validation. If a malicious or misconfigured USB host sends a BOT (Bulk-Only Transport) command during this race window, it triggers a NULL pointer dereference, leading to a kernel panic (local DoS). This exposes an inconsistent API usage within the module, as peer functions like `usbg_submit_command()` and `bot_send_bad_response()` correctly implement a NULL check for `tv_nexus` before proceeding. Fix this by bringing consistency to the nexus handling. Add the missing `if (!tv_nexus)` checks to the vulnerable BOT command and request processing paths, aborting the command gracefully with an error instead of crashing the system. The Linux kernel CVE team has assigned CVE-2026-43424 to this issue. Affected and fixed versions =========================== Issue introduced in 3.5 with commit c52661d60f636d17e26ad834457db333bd1df494 and fixed in 5.10.253 with commit b9b26d7f3aa288cfa54a7bc68612bab1f153f156 Issue introduced in 3.5 with commit c52661d60f636d17e26ad834457db333bd1df494 and fixed in 6.1.167 with commit 2a2ef846a54a06c33b5c2d4b0d918583e1e7c0b7 Issue introduced in 3.5 with commit c52661d60f636d17e26ad834457db333bd1df494 and fixed in 6.6.130 with commit d146f27758049fa55ae4c53785a852d3cf7a18d6 Issue introduced in 3.5 with commit c52661d60f636d17e26ad834457db333bd1df494 and fixed in 6.12.78 with commit f962ca3b020e13d6714f27e8c36fe742441c58d1 Issue introduced in 3.5 with commit c52661d60f636d17e26ad834457db333bd1df494 and fixed in 6.18.19 with commit 679d9535aeb15c10bce89c44102004b96624d706 Issue introduced in 3.5 with commit c52661d60f636d17e26ad834457db333bd1df494 and fixed in 6.19.9 with commit 3d309b37633c4a847fc149939a2c9576f1aa1065 Issue introduced in 3.5 with commit c52661d60f636d17e26ad834457db333bd1df494 and fixed in 7.0 with commit b9fde507355342a2d64225d582dc8b98ff5ecb19 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2026-43424 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/usb/gadget/function/f_tcm.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/b9b26d7f3aa288cfa54a7bc68612bab1f153f156 https://git.kernel.org/stable/c/2a2ef846a54a06c33b5c2d4b0d918583e1e7c0b7 https://git.kernel.org/stable/c/d146f27758049fa55ae4c53785a852d3cf7a18d6 https://git.kernel.org/stable/c/f962ca3b020e13d6714f27e8c36fe742441c58d1 https://git.kernel.org/stable/c/679d9535aeb15c10bce89c44102004b96624d706 https://git.kernel.org/stable/c/3d309b37633c4a847fc149939a2c9576f1aa1065 https://git.kernel.org/stable/c/b9fde507355342a2d64225d582dc8b98ff5ecb19