Acknowledged
Created: Oct 31, 2025
Updated: Nov 3, 2025
Found In Version: 10.25.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 25
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:[EOL][EOL]usb: gadget: f_ncm: Refactor bind path to use __free()[EOL][EOL]After an bind/unbind cycle, the ncm->notify_req is left stale. If a[EOL]subsequent bind fails, the unified error label attempts to free this[EOL]stale request, leading to a NULL pointer dereference when accessing[EOL]ep->ops->free_request.[EOL][EOL]Refactor the error handling in the bind path to use the __free()[EOL]automatic cleanup mechanism.[EOL][EOL]Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020[EOL]Call trace:[EOL] usb_ep_free_request+0x2c/0xec[EOL] ncm_bind+0x39c/0x3dc[EOL] usb_add_function+0xcc/0x1f0[EOL] configfs_composite_bind+0x468/0x588[EOL] gadget_bind_driver+0x104/0x270[EOL] really_probe+0x190/0x374[EOL] __driver_probe_device+0xa0/0x12c[EOL] driver_probe_device+0x3c/0x218[EOL] __device_attach_driver+0x14c/0x188[EOL] bus_for_each_drv+0x10c/0x168[EOL] __device_attach+0xfc/0x198[EOL] device_initial_probe+0x14/0x24[EOL] bus_probe_device+0x94/0x11c[EOL] device_add+0x268/0x48c[EOL] usb_add_gadget+0x198/0x28c[EOL] dwc3_gadget_init+0x700/0x858[EOL] __dwc3_set_mode+0x3cc/0x664[EOL] process_scheduled_works+0x1d8/0x488[EOL] worker_thread+0x244/0x334[EOL] kthread+0x114/0x1bc[EOL] ret_from_fork+0x10/0x20
