Linux Kernel Vulnerability in USB Gadget by Linux Foundation
CVE-2025-40093

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 30 October 2025

What is CVE-2025-40093?

A vulnerability within the Linux kernel affects the USB Gadget functionality related to the ECM (Ethernet Control Model). The issue arises during the bind/unbind cycle, where the notify request associated with the ECM becomes stale. If a subsequent bind operation fails, the system tries to free this stale request, which can trigger a NULL pointer dereference when accessing the operation to free requests. The vulnerability has been addressed by refactoring the error handling in the bind path to utilize an automatic cleanup mechanism, ensuring improved stability and reliability.

Affected Version(s)

Linux da741b8c56d612b5dd26ffa31341911a5fea23ee

Linux da741b8c56d612b5dd26ffa31341911a5fea23ee < 070f341d86cf2c098d63e484a86c7c1d2696a868

Linux da741b8c56d612b5dd26ffa31341911a5fea23ee < 15b9faf53ba8719700596e7ef78879ce200e8c2e

References

https://git.kernel.org/stable/c/d3745aaef19198d0c81637a7d...

https://git.kernel.org/stable/c/070f341d86cf2c098d63e484a...

https://git.kernel.org/stable/c/15b9faf53ba8719700596e7ef...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 30, 2025
Vulnerability Reserved
Apr 16, 2025

JSON