CVE-2026-23320 Overview
CVE-2026-23320 is a vulnerability in the Linux kernel's USB gadget f_ncm (Network Control Model) driver that affects the lifecycle management of net_device objects. The vulnerability stems from a design flaw where the network device is allocated during configuration instance creation (ncm_alloc_inst()) rather than during the USB bind operation, causing the network interface's lifetime to be tied to the configuration instance rather than the actual USB connection state.
This misalignment creates a dangerous condition when the USB gadget is disconnected—the underlying gadget device is removed while the net_device can still outlive its parent, leading to NULL pointer dereferences and dangling sysfs symlinks.
Critical Impact
Local attackers with access to the USB gadget subsystem can trigger kernel NULL pointer dereferences causing system crashes and denial of service conditions. The vulnerability also creates dangling sysfs symlinks that can lead to unpredictable system behavior.
Affected Products
- Linux Kernel (USB gadget subsystem with f_ncm driver enabled)
- Systems using USB NCM (Network Control Model) gadget functionality
- Embedded Linux devices with USB gadget configurations
Discovery Timeline
- 2026-03-25 - CVE CVE-2026-23320 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-23320
Vulnerability Analysis
The vulnerability exists in the f_ncm USB gadget function driver, specifically in how it manages the lifecycle of net_device objects. The root issue is an architectural decision that allocates the network device in ncm_alloc_inst() and frees it in ncm_free_inst(), rather than aligning this lifecycle with the ncm_bind() and ncm_unbind() operations.
When a USB gadget is disconnected, the underlying gadget device is removed from the system. However, because the net_device was allocated separately and tied to the configuration instance, it continues to exist after its parent device has been freed. This creates two distinct problems:
Problem 1: NULL Pointer Dereference - When the network interface attempts to access the freed gadget device (for example, during an rtnl_fill_ifinfo() call), the kernel dereferences a NULL pointer. The call trace shows the crash occurring in string length operations during netlink message processing for interface information.
Problem 2: Dangling Sysfs Symlinks - The sysfs directory structure maintains symbolic links to the network device at /sys/class/net/ncm0, but these links point to paths under the now-removed gadget device, resulting in broken symlinks and potential further kernel issues.
Root Cause
The root cause is improper lifecycle management where the net_device allocation is decoupled from the USB gadget bind/unbind cycle. The design incorrectly ties the network interface lifetime to the f_ncm configuration instance rather than the actual USB connection state, violating the expected parent-child relationship between the gadget device and network interface.
Attack Vector
The attack vector requires local access to a system with USB gadget functionality enabled. An attacker would need the ability to:
- Trigger USB gadget disconnect events (physical access or privileged software control)
- Subsequently interact with the orphaned network interface through netlink or sysfs operations
- Trigger operations that cause the kernel to access the freed gadget device structure
The vulnerability is particularly relevant for embedded systems, mobile devices, and development boards that utilize USB gadget functionality for networking capabilities.
The vulnerability mechanism involves the following flow: when ncm_alloc_inst() creates the network device, it establishes a parent relationship with the gadget device. Upon USB disconnect, ncm_unbind() is called but the network device persists. Subsequent operations like dev_change_flags() or rtnl_fill_ifinfo() attempt to traverse the device hierarchy, encountering the freed parent device and triggering the NULL pointer dereference. See the kernel git commit for technical implementation details.
Detection Methods for CVE-2026-23320
Indicators of Compromise
- Kernel panic messages containing NULL pointer dereference at address 0x0000000000000000 with call traces involving rtnl_fill_ifinfo, rtmsg_ifinfo, or dev_change_flags
- Presence of dangling symlinks in /sys/class/net/ pointing to non-existent paths under removed gadget devices
- Kernel log entries showing USB gadget disconnect events followed by network interface errors
Detection Strategies
- Monitor kernel logs for NULL pointer dereference crashes in the netlink or rtnetlink subsystems following USB disconnect events
- Implement sysfs monitoring to detect broken symbolic links in /sys/class/net/ directories
- Deploy kernel tracing (ftrace/perf) to monitor ncm_bind(), ncm_unbind(), ncm_alloc_inst(), and ncm_free_inst() function calls for anomalous patterns
- Audit systems for USB gadget configurations using the NCM function driver
Monitoring Recommendations
- Configure kernel crash dump collection (kdump) to capture NULL pointer dereference events for analysis
- Implement regular sysfs integrity checks for network interface symbolic links
- Monitor for unexpected USB gadget disconnect/reconnect cycles that could indicate exploitation attempts
- Enable kernel audit logging for USB subsystem events on systems with gadget functionality enabled
How to Mitigate CVE-2026-23320
Immediate Actions Required
- Apply the kernel patches from the Linux kernel stable branches as soon as available
- If USB NCM gadget functionality is not required, disable the f_ncm driver by blacklisting the module or removing it from the kernel configuration
- Restrict physical access to USB ports on affected systems
- Monitor systems for kernel crashes with the characteristic NULL pointer dereference patterns
Patch Information
The vulnerability has been resolved through kernel patches that move the net_device allocation from ncm_alloc_inst() to ncm_bind() and deallocation from ncm_free_inst() to ncm_unbind(). This ensures the network interface exists only when the gadget function is actually bound to a configuration.
The fix also introduces caching for user-provided configuration options (such as interface name and MAC address) in f_ncm_opts using the gether_opts structure, which are then applied to the net_device upon creation in ncm_bind().
Relevant kernel commits are available at:
Workarounds
- Disable USB NCM gadget functionality if not operationally required by adding blacklist usb_f_ncm to the modprobe configuration
- Implement physical security controls to prevent unauthorized USB disconnection events
- Use alternative USB networking gadget drivers such as RNDIS or ECM where NCM is not strictly required
- On systems where the gadget must remain active, avoid triggering network interface state changes during or after USB disconnect events
# Disable f_ncm module loading as a workaround
echo "blacklist usb_f_ncm" >> /etc/modprobe.d/disable-ncm.conf
echo "install usb_f_ncm /bin/false" >> /etc/modprobe.d/disable-ncm.conf
update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
