{"id":"CVE-2026-23320","summary":"usb: gadget: f_ncm: align net_device lifecycle with bind/unbind","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_ncm: align net_device lifecycle with bind/unbind\n\nCurrently, the net_device is allocated in ncm_alloc_inst() and freed in\nncm_free_inst(). This ties the network interface's lifetime to the\nconfiguration instance rather than the USB connection (bind/unbind).\n\nThis decoupling causes issues when the USB gadget is disconnected where\nthe underlying gadget device is removed. The net_device can outlive its\nparent, leading to dangling sysfs links and NULL pointer dereferences\nwhen accessing the freed gadget device.\n\nProblem 1: NULL pointer dereference on disconnect\n Unable to handle kernel NULL pointer dereference at virtual address\n 0000000000000000\n Call trace:\n   __pi_strlen+0x14/0x150\n   rtnl_fill_ifinfo+0x6b4/0x708\n   rtmsg_ifinfo_build_skb+0xd8/0x13c\n   rtmsg_ifinfo+0x50/0xa0\n   __dev_notify_flags+0x4c/0x1f0\n   dev_change_flags+0x54/0x70\n   do_setlink+0x390/0xebc\n   rtnl_newlink+0x7d0/0xac8\n   rtnetlink_rcv_msg+0x27c/0x410\n   netlink_rcv_skb+0x134/0x150\n   rtnetlink_rcv+0x18/0x28\n   netlink_unicast+0x254/0x3f0\n   netlink_sendmsg+0x2e0/0x3d4\n\nProblem 2: Dangling sysfs symlinks\n console:/ # ls -l /sys/class/net/ncm0\n lrwxrwxrwx ... /sys/class/net/ncm0 -\u003e\n /sys/devices/platform/.../gadget.0/net/ncm0\n console:/ # ls -l /sys/devices/platform/.../gadget.0/net/ncm0\n ls: .../gadget.0/net/ncm0: No such file or directory\n\nMove the net_device allocation to ncm_bind() and deallocation to\nncm_unbind(). This ensures the network interface exists only when the\ngadget function is actually bound to a configuration.\n\nTo support pre-bind configuration (e.g., setting interface name or MAC\naddress via configfs), cache user-provided options in f_ncm_opts\nusing the gether_opts structure. Apply these cached settings to the\nnet_device upon creation in ncm_bind().\n\nPreserve the use-after-free fix from commit 6334b8e4553c (\"usb: gadget:\nf_ncm: Fix UAF ncm object at re-bind after usb ep transport error\").\nCheck opts-\u003enet in ncm_set_alt() and ncm_disable() to ensure\ngether_disconnect() runs only if a connection was established.","modified":"2026-04-02T13:12:21.344716Z","published":"2026-03-25T10:27:14.398Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23320.json","cna_assigner":"Linux"},"references":[{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"},{"type":"WEB","url":"https://git.kernel.org/stable/c/188338c1827842f898761a939669cf345bdf07e2"},{"type":"WEB","url":"https://git.kernel.org/stable/c/56a512a9b4107079f68701e7d55da8507eb963d9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b62076e780a2121903ecf9ffdfb89c64647cb7da"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23320.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23320"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"40d133d7f542616cf9538508a372306e626a16e9"},{"fixed":"b62076e780a2121903ecf9ffdfb89c64647cb7da"},{"fixed":"188338c1827842f898761a939669cf345bdf07e2"},{"fixed":"56a512a9b4107079f68701e7d55da8507eb963d9"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23320.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"3.11.0"},{"fixed":"6.18.17"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.7"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23320.json"}}],"schema_version":"1.7.5"}