Linux Kernel Vulnerability in USB Gadget Functionality
CVE-2025-40092

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 30 October 2025

What is CVE-2025-40092?

A vulnerability has been identified in the Linux kernel's USB gadget functionality, specifically within the f_ncm driver. The issue arises during the bind and unbind cycle, where stale requests can lead to a NULL pointer dereference. This occurs if a subsequent bind fails, and the system attempts to clean up a stale request, resulting in a crash. To mitigate this, the error handling in the bind path has been refactored to implement an automatic cleanup mechanism, enhancing overall stability and security.

Affected Version(s)

Linux 9f6ce4240a2bf456402c15c06768059e5973f28c < 185193a4714aa9c78437a7a1858fbe5771f0f45c

Linux 9f6ce4240a2bf456402c15c06768059e5973f28c

Linux 9f6ce4240a2bf456402c15c06768059e5973f28c < 1cde4516295a030cb8ab4c93114ca3b6c3c6a1e2

References

https://git.kernel.org/stable/c/185193a4714aa9c78437a7a18...

https://git.kernel.org/stable/c/f37de8dec6a4c379b4b848600...

https://git.kernel.org/stable/c/1cde4516295a030cb8ab4c931...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 30, 2025
Vulnerability Reserved
Apr 16, 2025

JSON