CVE-2025-40092
Description
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_ncm: Refactor bind path to use __free()
After an bind/unbind cycle, the ncm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request.
Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism.
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Call trace: usb_ep_free_request+0x2c/0xec ncm_bind+0x39c/0x3dc usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's USB gadget f_ncm driver, a dangling request pointer after bind/unbind cycles can cause a NULL pointer dereference during subsequent binds, leading to a kernel crash.
Vulnerability
Description
The vulnerability resides in the USB gadget f_ncm driver in the Linux kernel. After completing a bind/unbind cycle, the ncm->notify_req pointer remains stale. If a subsequent bind operation fails, the error handling path attempts to free this stale request, resulting in a NULL pointer dereference when accessing ep->ops->free_request. This manifests as a kernel panic with a crash trace indicating usb_ep_free_request as the faulting function.
Exploitation
Conditions
To trigger the issue, an attacker must be able to perform a bind/unbind cycle on the USB gadget subsystem and then cause a bind failure. This requires access to the gadget configuration interface (e.g., configfs) and the ability to induce a failure, such as by exhausting resources or providing invalid parameters. No authentication beyond local access is required, but the attacker must have the capability to interact with the USB gadget system.
Impact
Successful exploitation leads to a kernel NULL pointer dereference, which causes a system crash (denial of service). There is no indication of memory corruption or arbitrary code execution; the impact is limited to availability.
Mitigation
Patches are available in the stable kernel trees via commits [1], [2], and [3]. Users should update their Linux kernel to a version containing these fixes. No workarounds have been identified beyond applying the patch.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
6185193a4714af37de8dec6a41cde4516295ad3fe7143928ded78f4d6079d75a5b8d4ddd4Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- git.kernel.org/stable/c/185193a4714aa9c78437a7a1858fbe5771f0f45cnvd
- git.kernel.org/stable/c/1cde4516295a030cb8ab4c93114ca3b6c3c6a1e2nvd
- git.kernel.org/stable/c/75a5b8d4ddd4eb6b16cb0b475d14ff4ae64295efnvd
- git.kernel.org/stable/c/d3fe7143928d8dfa2ec7bac9f906b48bc75b98eenvd
- git.kernel.org/stable/c/ed78f4d6079d872432b1ed54f155ef61965d3137nvd
- git.kernel.org/stable/c/f37de8dec6a4c379b4b8486003a1de00ff8cff3bnvd
News mentions
0No linked articles in our index yet.