PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43421 Linux CVE debrief

CVE-2026-43421 is a Linux kernel USB gadget bug in f_ncm where the network device could outlive its parent gadget device during disconnect. According to the NVD record and kernel fix description, this created dangling sysfs links and null pointer dereference risk, and also caused a regression affecting USB reconnection and DHCP behavior on pmOS. The fix reworks net_device lifetime management using device_move and adds gadget attach/detach helpers to preserve interface identity across bind/unbind cycles.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-12
Advisory published
2026-05-08
Advisory updated
2026-05-12

Who should care

Linux kernel maintainers, USB gadget subsystem maintainers, distribution kernel teams, and operators of embedded or mobile Linux systems that use the f_ncm USB gadget function should pay attention. Systems that rely on USB reconnection behavior, stable interface naming, or DHCP-based provisioning are the most likely to notice operational impact.

Technical summary

The vulnerability description says f_ncm’s net_device lifecycle was incorrect during gadget disconnection, allowing the device object to outlive its parent gadget device. That led to dangling sysfs relationships and null pointer dereference problems. The remediation uses device_move to reparent the net_device between the gadget device and /sys/devices/virtual/ across bind and unbind cycles, and introduces gether_attach_gadget()/gether_detach_gadget() helpers plus __free(detach_gadget) handling for bind failure cleanup. The bind_count logic ensures device_move happens only on the first bind.

Defensive priority

Medium

Recommended defensive actions

  • Check whether your kernels include the upstream fix series referenced by the stable kernel commits in the NVD record.
  • Prioritize updates on systems that use Linux USB gadget f_ncm for tethering, networking, or automated provisioning.
  • Validate USB gadget reconnect behavior after patching, especially if your workflow depends on persistent interface naming or DHCP lease retention.
  • Monitor kernel logs for gadget disconnect, sysfs, or NULL pointer dereference symptoms on affected systems.
  • If you maintain downstream kernel trees, backport the lifecycle fix set rather than attempting ad hoc local changes to SET_NETDEV_DEV or net_device allocation timing.

Evidence notes

This debrief is based only on the supplied NVD record and the linked stable.kernel.org references. The NVD entry lists the vulnerability as "Undergoing Analysis" and provides no CVSS vector, score, weaknesses, or CPE criteria in the supplied corpus. The kernel description explicitly states that the net_device outlived its parent gadget device during disconnection and that the fix uses device_move and gadget attach/detach helpers. The vendor field in the supplied record is weak/unknown, so the impact is described at the Linux kernel subsystem level rather than as a specific commercial product issue.

Official resources

CVE published at 2026-05-08T15:16:54.173Z and last modified at 2026-05-12T14:10:27.343Z, per the supplied timeline fields.