CVE-2026-43422 | THREATINT

Description

In the Linux kernel, the following vulnerability has been resolved: usb: legacy: ncm: Fix NPE in gncm_bind Commit 56a512a9b410 ("usb: gadget: f_ncm: align net_device lifecycle with bind/unbind") deferred the allocation of the net_device. This change leads to a NULL pointer dereference in the legacy NCM driver as it attempts to access the net_device before it's fully instantiated. Store the provided qmult, host_addr, and dev_addr into the struct ncm_opts->net_opts during gncm_bind(). These values will be properly applied to the net_device when it is allocated and configured later in the binding process by the NCM function driver.

PUBLISHED Reserved 2026-05-01 | Published 2026-05-08 | Updated 2026-05-08 | Assigner Linux

Product status

Default status

unaffected

b62076e780a2121903ecf9ffdfb89c64647cb7da (git) before be5738d19bed244ede84da45bc45395bcb1d99e0

affected

188338c1827842f898761a939669cf345bdf07e2 (git) before b23e86a3a15803c3dcb24701285f73e65099fdf9

affected

56a512a9b4107079f68701e7d55da8507eb963d9 (git) before fde0634ad9856b3943a2d1a8cc8de174a63ac840

affected

Default status

unaffected

6.18.17 (semver) before 6.18.19

affected

6.19.7 (semver) before 6.19.9

affected

References

git.kernel.org/...c/be5738d19bed244ede84da45bc45395bcb1d99e0

git.kernel.org/...c/b23e86a3a15803c3dcb24701285f73e65099fdf9

git.kernel.org/...c/fde0634ad9856b3943a2d1a8cc8de174a63ac840

cve.org (CVE-2026-43422)

nvd.nist.gov (CVE-2026-43422)

Download JSON