NULL pointer dereference in Linux kernel - CVE-2026-43424
Published: May 8, 2026
Vulnerability identifier: #VU130757
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-43424
CWE-ID: CWE-476
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows an attacker with physical access to cause a denial of service.
The vulnerability exists due to a NULL pointer dereference in the USB Target driver f_tcm BOT command and request processing paths when handling crafted Bulk-Only Transport commands during a race window where the nexus is not established or has just been dropped. An attacker with physical access can send a specially crafted USB request to cause a denial of service.
The issue occurs if requests arrive before the nexus is fully established or immediately after it is dropped.
How to mitigate CVE-2026-43424
Install security update from vendor's repository.
Sources
- https://git.kernel.org/stable/c/2a2ef846a54a06c33b5c2d4b0d918583e1e7c0b7
- https://git.kernel.org/stable/c/3d309b37633c4a847fc149939a2c9576f1aa1065
- https://git.kernel.org/stable/c/679d9535aeb15c10bce89c44102004b96624d706
- https://git.kernel.org/stable/c/b9b26d7f3aa288cfa54a7bc68612bab1f153f156
- https://git.kernel.org/stable/c/b9fde507355342a2d64225d582dc8b98ff5ecb19
- https://git.kernel.org/stable/c/d146f27758049fa55ae4c53785a852d3cf7a18d6
- https://git.kernel.org/stable/c/f962ca3b020e13d6714f27e8c36fe742441c58d1