CVE-2025-40095
Linux Kernel - NULL Pointer Dereference in USB Gadget RNDIS Bind Path
Title source: llmDescription
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_rndis: Refactor bind path to use __free() After an bind/unbind cycle, the rndis->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism.
References (5)
Core 5
Core References
Scores
EPSS
0.0018
EPSS Percentile
8.1%
Details
Status
published
Products (16)
linux/Kernel
2.6.27 - 6.1.158linux
linux/Kernel
6.13.0 - 6.17.5linux
linux/Kernel
6.2.0 - 6.6.114linux
linux/Kernel
6.7.0 - 6.12.55linux
Linux/Linux
< 2.6.27
Linux/Linux
2.6.27
Linux/Linux
45fe3b8e5342cd1ce307099459c74011d8e01986 - 08228941436047bdcd35a612c1aec0912a29d8cd
Linux/Linux
45fe3b8e5342cd1ce307099459c74011d8e01986 - 380353c3a92be7d928e6f973bd065c5b79755ac3
Linux/Linux
45fe3b8e5342cd1ce307099459c74011d8e01986 - 5f65c8ad8c7292ed7e3716343fcd590a51818cc3
Linux/Linux
45fe3b8e5342cd1ce307099459c74011d8e01986 - a8366263b7e5b663d7fb489d3a9ba1e2600049a6
... and 6 more
Published
Oct 30, 2025
Tracked Since
Feb 18, 2026