PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43423 Linux CVE debrief

CVE-2026-43423 is a Linux kernel issue in the usb: gadget: f_ncm path where ncm_set_alt held a mutex while running in an atomic context. The reported result is the classic "sleeping function called from invalid context" warning seen in the call trace. The upstream fix removes the struct net_device pointer from f_ncm_opts to eliminate the locking contention, and switches connection-state handling to a boolean flag so the earlier use-after-free fix remains intact.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-12
Advisory published
2026-05-08
Advisory updated
2026-05-12

Who should care

Linux kernel maintainers, distro kernel teams, embedded/device vendors, and operators of systems that use USB gadget mode with NCM and configfs should care most. The issue is relevant wherever this gadget function can be reached in deployed kernels, especially in appliance, IoT, and embedded builds.

Technical summary

According to the supplied CVE description, ncm_set_alt used a mutex to protect against races with configfs, but that mutex path can invoke a might-sleep operation from atomic context. The kernel trace shows the failure at __mutex_lock within ncm_set_alt, reached from set_config and composite_setup. The fix removes the net_device pointer from f_ncm_opts to reduce contention and uses a boolean connection-state flag, while preserving the prior use-after-free remediation from commit 6334b8e4553c.

Defensive priority

Moderate priority for systems that include or expose USB gadget NCM support. This is a kernel correctness and stability issue in a reachable gadget path, so it should be backported promptly where the feature is used, even though the supplied corpus does not include CVSS or exploitation evidence.

Recommended defensive actions

  • Backport or deploy the kernel fixes referenced by the stable git.kernel.org links in the source record.
  • Audit whether your kernels are built with and actually use USB gadget mode, especially the f_ncm function and configfs-based gadget configuration.
  • Check for kernel log messages matching 'sleeping function called from invalid context' in affected environments.
  • Prioritize testing on embedded, appliance, and device-firmware kernels where USB gadget functionality is enabled.
  • Verify that any backport preserves the earlier use-after-free fix noted in the CVE description, not just the locking change.

Evidence notes

This debrief is based only on the supplied CVE text, the NVD record metadata, and the three official kernel.org stable reference links. The NVD source item was marked 'Undergoing Analysis' and does not provide a CVSS vector, weaknesses, or CPE criteria in the supplied corpus. Timing context uses the CVE published and modified timestamps supplied with the record: published 2026-05-08T15:16:54.390Z and modified 2026-05-12T14:10:27.343Z.

Official resources

CVE-2026-43423 was published on 2026-05-08T15:16:54.390Z and last modified on 2026-05-12T14:10:27.343Z. The supplied NVD record was still undergoing analysis at the time of capture.