PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43422 Linux CVE debrief

CVE-2026-43422 covers a Linux kernel USB legacy NCM issue where gncm_bind() could hit a NULL pointer dereference after a lifecycle change deferred net_device allocation. The fix preserves qmult, host_addr, and dev_addr in ncm_opts->net_opts during bind so they can be applied later, after the net_device exists.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-12
Advisory published
2026-05-08
Advisory updated
2026-05-12

Who should care

Linux kernel maintainers, distro security teams, and anyone shipping or relying on USB gadget / legacy NCM function support should review this CVE, especially if they backport kernel changes or expose gadget bindings in production.

Technical summary

The supplied description ties the bug to commit 56a512a9b410, which deferred net_device allocation in the NCM gadget lifecycle. Legacy NCM code in gncm_bind() then attempted to access the net_device before it had been fully instantiated, leading to a NULL pointer dereference. The corrective change stores qmult, host_addr, and dev_addr in struct ncm_opts->net_opts during gncm_bind(), allowing the later NCM function-driver allocation/configuration path to apply them safely.

Defensive priority

Medium. Prioritize if your kernels include USB gadget / legacy NCM support or if you maintain custom kernel backports, because the flaw sits in kernel-level bind logic and can crash the system when exercised.

Recommended defensive actions

  • Verify whether your kernel tree contains the fixing changes referenced by the official kernel stable links in the NVD record, and backport them if necessary.
  • If you maintain USB gadget or legacy NCM support, test bind and unbind workflows after lifecycle-related kernel updates to confirm parameters survive deferred net_device allocation.
  • Update affected vendor or distro kernel packages as soon as patched builds are available.
  • If legacy NCM gadget functionality is not required, disable it or avoid exposing it in production configurations.
  • Watch for kernel oops or crash reports that mention gncm_bind or the legacy NCM bind path.

Evidence notes

This debrief is based only on the supplied CVE description and official links. The CVE was published on 2026-05-08 UTC and modified on 2026-05-12 UTC. The supplied NVD record lists the status as Undergoing Analysis. The NVD references include official kernel stable links associated with the fix, and the description explicitly states that commit 56a512a9b410 changed the net_device lifecycle and introduced the NULL pointer dereference in the legacy NCM driver path. Vendor attribution in the source data is low confidence, so this write-up refers to the affected Linux kernel USB legacy NCM code rather than asserting a standalone vendor product.

Official resources

Public CVE record published 2026-05-08 UTC and modified 2026-05-12 UTC. The supplied NVD record is marked Undergoing Analysis.