CVE-2026-43424

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling<br /> <br /> The `tpg-&gt;tpg_nexus` pointer in the USB Target driver is dynamically<br /> managed and tied to userspace configuration via ConfigFS. It can be<br /> NULL if the USB host sends requests before the nexus is fully<br /> established or immediately after it is dropped.<br /> <br /> Currently, functions like `bot_submit_command()` and the data<br /> transfer paths retrieve `tv_nexus = tpg-&gt;tpg_nexus` and immediately<br /> dereference `tv_nexus-&gt;tvn_se_sess` without any validation. If a<br /> malicious or misconfigured USB host sends a BOT (Bulk-Only Transport)<br /> command during this race window, it triggers a NULL pointer<br /> dereference, leading to a kernel panic (local DoS).<br /> <br /> This exposes an inconsistent API usage within the module, as peer<br /> functions like `usbg_submit_command()` and `bot_send_bad_response()`<br /> correctly implement a NULL check for `tv_nexus` before proceeding.<br /> <br /> Fix this by bringing consistency to the nexus handling. Add the<br /> missing `if (!tv_nexus)` checks to the vulnerable BOT command and<br /> request processing paths, aborting the command gracefully with an<br /> error instead of crashing the system.