CVE-2026-43424

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A NULL pointer dereference exists in the USB Target driver's nexus handling. The tpg->tpg nexus pointer is dynamically managed via ConfigFS and can be NULL if a USB host sends requests before the nexus is established or after it is dropped. Functions such as bot submit command() and data transfer paths retrieve tv nexus = tpg->tpg nexus and dereference tv nexus->tvn se sess without validation. A malicious or misconfigured USB host can trigger this by sending a Bulk-Only Transport (BOT) command during this race window, resulting in a kernel panic and local Denial of Service (DoS).

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.