CVE-2025-40095

Linux Kernel - NULL Pointer Dereference in USB Gadget RNDIS Bind Path

Title source: llm
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_rndis: Refactor bind path to use __free() After an bind/unbind cycle, the rndis->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism.

Scores

EPSS 0.0018
EPSS Percentile 8.1%

Details

Status published
Products (16)
linux/Kernel 2.6.27 - 6.1.158linux
linux/Kernel 6.13.0 - 6.17.5linux
linux/Kernel 6.2.0 - 6.6.114linux
linux/Kernel 6.7.0 - 6.12.55linux
Linux/Linux < 2.6.27
Linux/Linux 2.6.27
Linux/Linux 45fe3b8e5342cd1ce307099459c74011d8e01986 - 08228941436047bdcd35a612c1aec0912a29d8cd
Linux/Linux 45fe3b8e5342cd1ce307099459c74011d8e01986 - 380353c3a92be7d928e6f973bd065c5b79755ac3
Linux/Linux 45fe3b8e5342cd1ce307099459c74011d8e01986 - 5f65c8ad8c7292ed7e3716343fcd590a51818cc3
Linux/Linux 45fe3b8e5342cd1ce307099459c74011d8e01986 - a8366263b7e5b663d7fb489d3a9ba1e2600049a6
... and 6 more
Published Oct 30, 2025
Tracked Since Feb 18, 2026