Use After Free in Linux kernel - CVE-2026-23320

 

Use After Free in Linux kernel - CVE-2026-23320

Published: March 25, 2026


Vulnerability identifier: #VU124531
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-23320
CWE-ID: CWE-416
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel

Detailed vulnerability description

The vulnerability allows a local user to cause a denial of service (system crash) or potentially execute arbitrary code.

The vulnerability exists due to a use-after-free in the USB gadget networking control model (NCM) functionality when handling device bind/unbind operations. A local user can trigger USB gadget disconnection to access a freed net_device structure, resulting in a NULL pointer dereference or use-after-free condition.

The issue arises because the net_device is allocated during configuration instance creation but not freed until the instance is destroyed, allowing it to outlive its parent USB gadget device upon unbind. This leads to dangling sysfs links and invalid memory references when the system attempts to access the already-freed device context.


How to mitigate CVE-2026-23320

Install security update from vendor's repository.

Sources