{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-43424", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-05-01T14:12:56.008Z", "datePublished": "2026-05-08T14:21:58.365Z", "dateUpdated": "2026-05-08T14:21:58.365Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-08T14:21:58.365Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling\n\nThe `tpg->tpg_nexus` pointer in the USB Target driver is dynamically\nmanaged and tied to userspace configuration via ConfigFS. It can be\nNULL if the USB host sends requests before the nexus is fully\nestablished or immediately after it is dropped.\n\nCurrently, functions like `bot_submit_command()` and the data\ntransfer paths retrieve `tv_nexus = tpg->tpg_nexus` and immediately\ndereference `tv_nexus->tvn_se_sess` without any validation. If a\nmalicious or misconfigured USB host sends a BOT (Bulk-Only Transport)\ncommand during this race window, it triggers a NULL pointer\ndereference, leading to a kernel panic (local DoS).\n\nThis exposes an inconsistent API usage within the module, as peer\nfunctions like `usbg_submit_command()` and `bot_send_bad_response()`\ncorrectly implement a NULL check for `tv_nexus` before proceeding.\n\nFix this by bringing consistency to the nexus handling. Add the\nmissing `if (!tv_nexus)` checks to the vulnerable BOT command and\nrequest processing paths, aborting the command gracefully with an\nerror instead of crashing the system."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/usb/gadget/function/f_tcm.c"], "versions": [{"version": "c52661d60f636d17e26ad834457db333bd1df494", "lessThan": "b9b26d7f3aa288cfa54a7bc68612bab1f153f156", "status": "affected", "versionType": "git"}, {"version": "c52661d60f636d17e26ad834457db333bd1df494", "lessThan": "2a2ef846a54a06c33b5c2d4b0d918583e1e7c0b7", "status": "affected", "versionType": "git"}, {"version": "c52661d60f636d17e26ad834457db333bd1df494", "lessThan": "d146f27758049fa55ae4c53785a852d3cf7a18d6", "status": "affected", "versionType": "git"}, {"version": "c52661d60f636d17e26ad834457db333bd1df494", "lessThan": "f962ca3b020e13d6714f27e8c36fe742441c58d1", "status": "affected", "versionType": "git"}, {"version": "c52661d60f636d17e26ad834457db333bd1df494", "lessThan": "679d9535aeb15c10bce89c44102004b96624d706", "status": "affected", "versionType": "git"}, {"version": "c52661d60f636d17e26ad834457db333bd1df494", "lessThan": "3d309b37633c4a847fc149939a2c9576f1aa1065", "status": "affected", "versionType": "git"}, {"version": "c52661d60f636d17e26ad834457db333bd1df494", "lessThan": "b9fde507355342a2d64225d582dc8b98ff5ecb19", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/usb/gadget/function/f_tcm.c"], "versions": [{"version": "3.5", "status": "affected"}, {"version": "0", "lessThan": "3.5", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.19", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.9", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.5", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.5", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.5", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.5", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.5", "versionEndExcluding": "6.18.19"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.5", "versionEndExcluding": "6.19.9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.5", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/b9b26d7f3aa288cfa54a7bc68612bab1f153f156"}, {"url": "https://git.kernel.org/stable/c/2a2ef846a54a06c33b5c2d4b0d918583e1e7c0b7"}, {"url": "https://git.kernel.org/stable/c/d146f27758049fa55ae4c53785a852d3cf7a18d6"}, {"url": "https://git.kernel.org/stable/c/f962ca3b020e13d6714f27e8c36fe742441c58d1"}, {"url": "https://git.kernel.org/stable/c/679d9535aeb15c10bce89c44102004b96624d706"}, {"url": "https://git.kernel.org/stable/c/3d309b37633c4a847fc149939a2c9576f1aa1065"}, {"url": "https://git.kernel.org/stable/c/b9fde507355342a2d64225d582dc8b98ff5ecb19"}], "title": "usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling\n\nThe `tpg->tpg_nexus` pointer in the USB Target driver is dynamically\nmanaged and tied to userspace configuration via ConfigFS. It can be\nNULL if the USB host sends requests before the nexus is fully\nestablished or immediately after it is dropped.\n\nCurrently, functions like `bot_submit_command()` and the data\ntransfer paths retrieve `tv_nexus = tpg->tpg_nexus` and immediately\ndereference `tv_nexus->tvn_se_sess` without any validation. If a\nmalicious or misconfigured USB host sends a BOT (Bulk-Only Transport)\ncommand during this race window, it triggers a NULL pointer\ndereference, leading to a kernel panic (local DoS).\n\nThis exposes an inconsistent API usage within the module, as peer\nfunctions like `usbg_submit_command()` and `bot_send_bad_response()`\ncorrectly implement a NULL check for `tv_nexus` before proceeding.\n\nFix this by bringing consistency to the nexus handling. Add the\nmissing `if (!tv_nexus)` checks to the vulnerable BOT command and\nrequest processing paths, aborting the command gracefully with an\nerror instead of crashing the system."}], "id": "CVE-2026-43424", "lastModified": "2026-05-08T15:16:54.497", "metrics": {}, "published": "2026-05-08T15:16:54.497", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2a2ef846a54a06c33b5c2d4b0d918583e1e7c0b7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3d309b37633c4a847fc149939a2c9576f1aa1065"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/679d9535aeb15c10bce89c44102004b96624d706"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b9b26d7f3aa288cfa54a7bc68612bab1f153f156"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b9fde507355342a2d64225d582dc8b98ff5ecb19"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d146f27758049fa55ae4c53785a852d3cf7a18d6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f962ca3b020e13d6714f27e8c36fe742441c58d1"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{}