CVE-2025-40094— usb: gadget: f_acm: Refactor bind path to use __free()
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-40094
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
usb: gadget: f_acm: Refactor bind path to use __free()
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_acm: Refactor bind path to use __free() After an bind/unbind cycle, the acm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 Call trace: usb_ep_free_request+0x2c/0xec gs_free_req+0x30/0x44 acm_bind+0x1b8/0x1f4 usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于未正确清理acm->notify_req请求,可能导致空指针取消引用。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2025-40094
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-40094
请登录查看更多情报信息。
Same Patch Batch · Linux · 2025-10-30 · 20 CVEs total
| CVE-2025-40096 | drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies | |
| CVE-2025-40105 | vfs: Don't leak disconnected dentries on umount | |
| CVE-2025-40104 | ixgbevf: fix mailbox API compatibility by negotiating supported features | |
| CVE-2025-40103 | smb: client: Fix refcount leak for cifs_sb_tlink | |
| CVE-2025-40102 | KVM: arm64: Prevent access to vCPU events before init | |
| CVE-2025-40100 | btrfs: do not assert we found block group item when creating free space tree | |
| CVE-2025-40101 | btrfs: fix memory leaks when rejecting a non SINGLE data profile without an RST | |
| CVE-2025-40099 | cifs: parse_dfs_referrals: prevent oob on malformed input | |
| CVE-2025-40098 | ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_get_acpi_mute_state() | |
| CVE-2025-40097 | ALSA: hda: Fix missing pointer check in hda_component_manager_init function | |
| CVE-2025-40086 | drm/xe: Don't allow evicting of BOs in same VM in array of VM binds | |
| CVE-2025-40095 | usb: gadget: f_rndis: Refactor bind path to use __free() | |
| CVE-2025-40093 | usb: gadget: f_ecm: Refactor bind path to use __free() | |
| CVE-2025-40092 | usb: gadget: f_ncm: Refactor bind path to use __free() | |
| CVE-2025-40090 | ksmbd: fix recursive locking in RPC handle list access | |
| CVE-2025-40091 | ixgbe: fix too early devlink_free() in ixgbe_remove() | |
| CVE-2025-40089 | cxl/features: Add check for no entries in cxl_feature_info | |
| CVE-2025-40088 | hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp() | |
| CVE-2025-40087 | NFSD: Define a proc_layoutcommit for the FlexFiles layout type |
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
Same vendor: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
V. Comments for CVE-2025-40094
No comments yet