VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 30, 2025· Updated Apr 15, 2026

CVE-2025-40093

CVE-2025-40093

Description

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: f_ecm: Refactor bind path to use __free()

After an bind/unbind cycle, the ecm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request.

Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In Linux kernel's USB gadget f_ecm driver, a NULL pointer dereference occurs during bind/unbind cycles due to stale notify_req.

Vulnerability

The vulnerability resides in the Linux kernel's USB gadget f_ecm driver. During a bind/unbind cycle, the ecm->notify_req pointer is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request [1].

Exploitation

Exploitation requires local access to trigger USB gadget bind/unbind cycles. An attacker with the ability to manipulate USB gadget configuration, such as via sysfs or certain user-space interactions, can cause the system to crash [1][2].

Impact

The impact is a denial of service (system crash) due to the NULL pointer dereference. There is no indication of privilege escalation or data corruption.

Mitigation

The fix refactors the error handling in the bind path to use the __free() automatic cleanup mechanism, preventing the use-after-free condition. Patches have been applied to the Linux kernel stable branches as seen in references [1] and [2]. Users are advised to update to the latest kernel versions.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

5
d3745aaef191
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
070f341d86cf
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
15b9faf53ba8
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
4630c68bade8
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
42988380ac67
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.