CVE-2025-40095

Vulnerability

Description

In the Linux kernel's USB gadget f_rndis driver, during a bind/unbind cycle, the rndis->notify_req pointer is not properly cleared. If a subsequent bind operation fails, the unified error handling path attempts to free this stale request, resulting in a NULL pointer dereference when calling ep->ops->free_request. The root cause is the lack of automatic cleanup for the notify request in error paths. [1]

Exploitation

Scenario

The vulnerability is triggered through a sequence of USB gadget bind and unbind operations, which can be performed by a privileged local user or through crafted USB device interactions. No special authentication is required beyond the ability to manage USB gadget configurations. The attack surface is local, requiring access to the USB gadget subsystem. [2]

Impact

A successful exploit leads to a NULL pointer dereference, causing a kernel crash (denial of service). This can be used to disrupt system availability. There is no evidence of privilege escalation or remote code execution from this bug alone.

Mitigation

The Linux kernel has addressed this vulnerability by refactoring the error handling in the f_rndis bind path to use the __free() automatic cleanup mechanism, which ensures that stale pointers are properly managed. The fix is included in the stable kernel trees via commits [1] and [2]. Users are advised to update their kernels to the latest stable version to mitigate this issue.