CVE-2026-43422

Published: May 8, 2026

Modified: May 11, 2026

PUBLISHED

Description

In the Linux kernel, the following vulnerability has been resolved: usb: legacy: ncm: Fix NPE in gncm_bind Commit 56a512a9b410 ("usb: gadget: f_ncm: align net_device lifecycle with bind/unbind") deferred the allocation of the net_device. This change leads to a NULL pointer dereference in the legacy NCM driver as it attempts to access the net_device before it's fully instantiated. Store the provided qmult, host_addr, and dev_addr into the struct ncm_opts->net_opts during gncm_bind(). These values will be properly applied to the net_device when it is allocated and configured later in the binding process by the NCM function driver.

Vendor	Product	Versions
Linux	Linux	affected `b62076e780a2121903ecf9ffdfb89c64647cb7da - < be5738d19bed244ede84da45bc45395bcb1d99e0` affected `188338c1827842f898761a939669cf345bdf07e2 - < b23e86a3a15803c3dcb24701285f73e65099fdf9` affected `56a512a9b4107079f68701e7d55da8507eb963d9 - < fde0634ad9856b3943a2d1a8cc8de174a63ac840`
Linux	Linux	affected `6.18.17 - < 6.18.19` affected `6.19.7 - < 6.19.9`

References

https://git.kernel.org/stable/c/be5738d19bed244ede84da45bc45395bcb1d99e0

https://git.kernel.org/stable/c/b23e86a3a15803c3dcb24701285f73e65099fdf9

https://git.kernel.org/stable/c/fde0634ad9856b3943a2d1a8cc8de174a63ac840

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-43422

Description

Affected Products

References