{ "affected": [ { "ranges": [ { "events": [ { "introduced": "40d133d7f542616cf9538508a372306e626a16e9" }, { "fixed": "b62076e780a2121903ecf9ffdfb89c64647cb7da" }, { "fixed": "188338c1827842f898761a939669cf345bdf07e2" }, { "fixed": "56a512a9b4107079f68701e7d55da8507eb963d9" } ], "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "type": "GIT" } ] }, { "package": { "ecosystem": "Linux", "name": "Kernel" }, "ranges": [ { "events": [ { "introduced": "3.11.0" }, { "fixed": "6.18.17" } ], "type": "ECOSYSTEM" }, { "events": [ { "introduced": "6.19.0" }, { "fixed": "6.19.7" } ], "type": "ECOSYSTEM" } ] } ], "database_specific": { "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23320.json" }, "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_ncm: align net_device lifecycle with bind/unbind\n\nCurrently, the net_device is allocated in ncm_alloc_inst() and freed in\nncm_free_inst(). This ties the network interface's lifetime to the\nconfiguration instance rather than the USB connection (bind/unbind).\n\nThis decoupling causes issues when the USB gadget is disconnected where\nthe underlying gadget device is removed. The net_device can outlive its\nparent, leading to dangling sysfs links and NULL pointer dereferences\nwhen accessing the freed gadget device.\n\nProblem 1: NULL pointer dereference on disconnect\n Unable to handle kernel NULL pointer dereference at virtual address\n 0000000000000000\n Call trace:\n __pi_strlen+0x14/0x150\n rtnl_fill_ifinfo+0x6b4/0x708\n rtmsg_ifinfo_build_skb+0xd8/0x13c\n rtmsg_ifinfo+0x50/0xa0\n __dev_notify_flags+0x4c/0x1f0\n dev_change_flags+0x54/0x70\n do_setlink+0x390/0xebc\n rtnl_newlink+0x7d0/0xac8\n rtnetlink_rcv_msg+0x27c/0x410\n netlink_rcv_skb+0x134/0x150\n rtnetlink_rcv+0x18/0x28\n netlink_unicast+0x254/0x3f0\n netlink_sendmsg+0x2e0/0x3d4\n\nProblem 2: Dangling sysfs symlinks\n console:/ # ls -l /sys/class/net/ncm0\n lrwxrwxrwx ... /sys/class/net/ncm0 -\u003e\n /sys/devices/platform/.../gadget.0/net/ncm0\n console:/ # ls -l /sys/devices/platform/.../gadget.0/net/ncm0\n ls: .../gadget.0/net/ncm0: No such file or directory\n\nMove the net_device allocation to ncm_bind() and deallocation to\nncm_unbind(). This ensures the network interface exists only when the\ngadget function is actually bound to a configuration.\n\nTo support pre-bind configuration (e.g., setting interface name or MAC\naddress via configfs), cache user-provided options in f_ncm_opts\nusing the gether_opts structure. Apply these cached settings to the\nnet_device upon creation in ncm_bind().\n\nPreserve the use-after-free fix from commit 6334b8e4553c (\"usb: gadget:\nf_ncm: Fix UAF ncm object at re-bind after usb ep transport error\").\nCheck opts-\u003enet in ncm_set_alt() and ncm_disable() to ensure\ngether_disconnect() runs only if a connection was established.", "id": "CVE-2026-23320", "modified": "2026-04-01T23:09:20.804150967Z", "published": "2026-03-25T10:27:14.398Z", "references": [ { "type": "PACKAGE", "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/188338c1827842f898761a939669cf345bdf07e2" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/56a512a9b4107079f68701e7d55da8507eb963d9" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/b62076e780a2121903ecf9ffdfb89c64647cb7da" }, { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23320.json" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23320" } ], "schema_version": "1.7.3", "summary": "usb: gadget: f_ncm: align net_device lifecycle with bind/unbind" }