CVE-2025-40094
Description
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_acm: Refactor bind path to use __free()
After an bind/unbind cycle, the acm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request.
Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism.
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Call trace: usb_ep_free_request+0x2c/0xec gs_free_req+0x30/0x44 acm_bind+0x1b8/0x1f4 usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free and NULL pointer dereference in the Linux kernel's USB f_acm gadget driver can crash the system after a failed bind/unbind cycle.
Vulnerability
Analysis
CVE-2025-40094 describes a NULL pointer dereference in the Linux kernel's USB gadget f_acm driver. After a bind/unbind cycle, the acm->notify_req pointer is left stale but not cleared. If a subsequent bind fails, the error-handling path attempts to free this stale request via usb_ep_free_request, which tries to access ep->ops->free_request on a NULL endpoint pointer, leading to a kernel crash [1].
Exploitation
Conditions
Exploitation requires triggering a bind/unbind cycle on a USB gadget system that uses the f_acm driver. An attacker with local access that can manage USB gadget configurations (or physical USB device manipulation) can cause the bind to fail after an unbind, leading to the crash. No special privileges are needed beyond the ability to load/unload USB gadget configurations, which is typically available to root or users with appropriate capabilities [2].
Impact
Successful exploitation results in a kernel panic, causing a denial of service (DoS). The kernel trace shown includes acm_bind and usb_ep_free_request). The crash may also be leveraged for further exploitation if the stale pointer is controlled, but the vendor description focuses on the immediate crash. There is no indication of remote exploitation or data breach [3].
Mitigation
Status
The fix is already merged into the upstream Linux kernel, refactoring the error handling to use the __free() automatic cleanup mechanism, which prevents the stale request from being freed improperly [1]. Users should apply the stable kernel updates containing commit c4301e4dd6b3 or equivalent. No workaround is provided; the safest mitigation is to patch the kernel.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
6c5d116862dd32b1546f7c5fce348d18fb012201a66d8e663c4301e4dd6b347b2116e54b4Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- git.kernel.org/stable/c/201a66d8e6630762e760e1d78f1d149da1691e7bnvd
- git.kernel.org/stable/c/2b1546f7c5fc6c44555a8e7a2b34229d1dcd2175nvd
- git.kernel.org/stable/c/47b2116e54b4a854600341487e8b55249e926324nvd
- git.kernel.org/stable/c/c4301e4dd6b32faccb744f1c2320e64235b68d3bnvd
- git.kernel.org/stable/c/c5d116862dd3ed162d079738a5ebddf9fceea850nvd
- git.kernel.org/stable/c/e348d18fb0124b662cfefb3001733b49da428215nvd
News mentions
0No linked articles in our index yet.