CVE-2026-43423: Linux Kernel Use-After-Free Vulnerability

CVE-2026-43423 Overview

CVE-2026-43423 affects the Linux kernel's USB gadget subsystem, specifically the f_ncm (Network Control Model) function driver. The ncm_set_alt function held a mutex to protect against races with configfs, but it invoked a might-sleep operation inside an atomic context. This triggered a BUG: sleeping function called from invalid context warning during USB enumeration. The flaw represents an atomicity violation that can lead to kernel instability and denial of service on systems using USB NCM gadget functionality.

Critical Impact

Local attackers or USB peripheral conditions can trigger a kernel BUG splat through the ncm_set_alt path, resulting in unstable behavior or denial of service on affected Linux systems.

Affected Products

• Linux kernel — USB gadget subsystem (drivers/usb/gadget/function/f_ncm.c)
• Systems using the USB NCM (Network Control Model) gadget function
• Stable kernel branches receiving the referenced commits

Discovery Timeline

• 2026-05-08 - CVE-2026-43423 published to NVD
• 2026-05-12 - Last updated in NVD database

Technical Details for CVE-2026-43423

Vulnerability Analysis

The f_ncm driver implements the USB Network Control Model gadget function. The ncm_set_alt function executes when the USB host selects an alternate setting on the NCM interface. This callback runs in atomic context because it operates on the USB control transfer path.

The original code acquired a mutex inside ncm_set_alt to serialize access against configfs operations that could race with the bind path. Mutex acquisition can sleep, which is forbidden in atomic context. The resulting __might_sleep warning indicates a real locking-rule violation that can lead to scheduling-while-atomic conditions.

This is classified as an atomicity violation and improper synchronization issue within a kernel driver. While the immediate observable effect is a kernel warning and potential instability, locking rule violations in the USB enumeration path can cascade into broader subsystem failures.

Root Cause

The root cause is the use of a sleeping primitive — __mutex_lock — inside the ncm_set_alt callback, which the USB gadget framework invokes from an atomic context. The mutex was introduced to coordinate with configfs writes that could modify the struct net_device pointer stored in f_ncm_opts, but the chosen synchronization mechanism was incompatible with the calling context.

Attack Vector

The vulnerability is reachable through normal USB enumeration when an NCM gadget is bound and a host issues a SET_INTERFACE request. The call chain observed in the bug report runs from composite_setup through set_config into ncm_set_alt, then into __mutex_lock. An attacker with physical USB access or local control over configfs writes against an active NCM function can trigger the unsafe lock acquisition. The vulnerability does not provide remote code execution, but it does expose a reliable kernel-level fault path.

The upstream fix removes the struct net_device pointer from f_ncm_opts and replaces the mutex-protected state with a boolean flag tracking the connection state. This preserves the use-after-free fix from commit 6334b8e4553c while eliminating the sleep-in-atomic violation.

Detection Methods for CVE-2026-43423

Indicators of Compromise

• Kernel log entries containing BUG: sleeping function called from invalid context referencing ncm_set_alt
• Stack traces in dmesg showing __might_resched, __might_sleep, and __mutex_lock originating from composite_setup → set_config → ncm_set_alt
• Unexpected USB gadget reconfiguration failures on devices exposing the NCM function

Detection Strategies

• Monitor kernel ring buffers for might_sleep and scheduling while atomic messages on systems running USB gadget workloads
• Inventory Linux hosts and embedded devices using configfs-based USB gadget configurations with NCM enabled
• Compare running kernel versions against the fixed commits 0d6c8144ca4d, e533a44fb1b3, and e95120b4b95e referenced on git.kernel.org

Monitoring Recommendations

• Forward dmesg and journald kernel facility logs to a central analytics platform to flag atomic-context warnings
• Track stability metrics on USB-tethered or NCM-enabled devices including kernel oops counts and unexpected reboots
• Alert on configfs writes against /sys/kernel/config/usb_gadget/*/functions/ncm.* correlated with USB enumeration events

How to Mitigate CVE-2026-43423

Immediate Actions Required

• Apply the upstream stable kernel updates containing commits 0d6c8144ca4d, e533a44fb1b3, and e95120b4b95e from kernel.org stable
• Rebuild and redeploy custom or embedded kernels that include the f_ncm driver
• Identify all devices in the fleet using USB NCM gadget configurations and schedule patching

Patch Information

The fix is distributed across three Linux kernel stable commits referenced in the NVD advisory. The patch removes the struct net_device pointer from f_ncm_opts and replaces the mutex-protected connection state with a boolean flag. This eliminates the mutex from the atomic ncm_set_alt path while preserving the use-after-free fix introduced in commit 6334b8e4553c. See the Linux Kernel Commit Update for the patch contents.

Workarounds

• Disable the USB NCM gadget function where it is not required by unloading usb_f_ncm or omitting NCM from the gadget configuration
• Restrict configfs write access to the USB gadget hierarchy to root-only and audit administrative tooling that reconfigures gadgets at runtime
• Avoid hot-reconfiguring NCM gadgets on production devices until the patched kernel is deployed

# Verify kernel version and check for the f_ncm module
uname -r
lsmod | grep usb_f_ncm

# Temporary mitigation: unload the NCM gadget function if unused
sudo modprobe -r usb_f_ncm

# Prevent automatic loading until patched
echo 'blacklist usb_f_ncm' | sudo tee /etc/modprobe.d/blacklist-usb-f-ncm.conf