{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23320", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "REJECTED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.995Z", "datePublished": "2026-03-25T10:27:14.398Z", "dateUpdated": "2026-04-03T15:42:10.765Z", "dateRejected": "2026-04-03T15:42:10.765Z"}, "containers": {"cna": {"rejectedReasons": [{"lang": "en", "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-03T15:42:10.765Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."}], "id": "CVE-2026-23320", "lastModified": "2026-04-03T16:16:23.600", "metrics": {}, "published": "2026-03-25T11:16:28.747", "references": [], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Rejected"}

{"bugzilla": {"description": "kernel: usb: gadget: f_ncm: align net_device lifecycle with bind/unbind", "id": "2451162", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451162"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-772", "details": ["A flaw was found in the Linux kernel's USB gadget Network Control Model (NCM) function. This vulnerability occurs when a USB gadget is disconnected, causing the associated network device to persist beyond its intended lifecycle. This can lead to a NULL pointer dereference, potentially resulting in system instability or a denial of service. It may also cause lingering system file system (sysfs) symbolic links."], "name": "CVE-2026-23320", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23320\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23320\nhttps://lore.kernel.org/linux-cve-announce/2026032530-CVE-2026-23320-0ae7@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[40d133d7f542616cf9538508a372306e626a16e9,b62076e780a2121903ecf9ffdfb89c64647cb7da)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[40d133d7f542616cf9538508a372306e626a16e9,188338c1827842f898761a939669cf345bdf07e2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[40d133d7f542616cf9538508a372306e626a16e9,56a512a9b4107079f68701e7d55da8507eb963d9)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.11"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,3.11)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc1,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-03-26T05:35:47.295742+00:00", "value": {"mitigation_remediation": ["Update the system to a Linux kernel version that includes the patch moving net_device allocation to ncm_bind() and deallocation to ncm_unbind().", "If a patch is not available, disable the f_ncm USB gadget driver to prevent disconnect events from reaching the kernel.", "Verify that the running kernel contains the commit from the fix or runs a kernel version that has integrated the changes."], "summary": {"action": "Apply Patch", "impact": "Kernel crash denial of service"}, "threat_synthesis": {"affected_systems": "All Linux kernel builds that ship the f_ncm driver without the commit that moves the net_device allocation into ncm_bind() and its deallocation into ncm_unbind() are affected. If you are running a distribution kernel that has not incorporated this change, your system is vulnerable. Custom kernels can be checked for the specific commit or the absence of the fix.", "description_and_impact": "The Linux kernel\u2019s f_ncm USB gadget driver creates a network device that is freed when the gadget disconnects, but its lifecycle is tied to the configuration instance rather than the bind/unbind process. This misalignment allows the net_device to outlive its gadget, resulting in dangling sysfs links and NULL pointer dereferences that cause the kernel to crash. The kernel panic effectively brings the system down, resulting in denial of service.", "risk_and_exploitability": "The CVSS score of 7.0 indicates a medium\u2011to\u2011high severity. The EPSS score is below 1% and the flaw is not in the CISA KEV list, suggesting a low likelihood of widespread exploitation. The likely attack vector requires a local or privileged user to orchestrate a USB gadget disconnect while the driver is active, which would trigger the kernel crash. Since the vulnerability is tied to kernel internals, exploitation requires sufficient privileges to interact with the USB gadget interface."}}}}, "created": "2026-03-25T21:15:09.214359+00:00", "title": "Kernel Crash via Dangling net_device in f_ncm USB Gadget Driver", "updated": "2026-03-26T12:16:38.659530+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}