SB20260325139 - Use After Free in Linux kernel gadget function driver

Description

This security bulletin contains information about 1 security vulnerability.

1) Use After Free (CVE-ID: CVE-2026-23320)

The vulnerability allows a local user to cause a denial of service (system crash) or potentially execute arbitrary code.

The vulnerability exists due to a use-after-free in the USB gadget networking control model (NCM) functionality when handling device bind/unbind operations. A local user can trigger USB gadget disconnection to access a freed net_device structure, resulting in a NULL pointer dereference or use-after-free condition.

The issue arises because the net_device is allocated during configuration instance creation but not freed until the instance is destroyed, allowing it to outlive its parent USB gadget device upon unbind. This leads to dangling sysfs links and invalid memory references when the system attempts to access the already-freed device context.

Remediation

Install update from vendor's website.

References

• https://git.kernel.org/stable/c/188338c1827842f898761a939669cf345bdf07e2
• https://git.kernel.org/stable/c/56a512a9b4107079f68701e7d55da8507eb963d9
• https://git.kernel.org/stable/c/b62076e780a2121903ecf9ffdfb89c64647cb7da