CVE-2023-52894: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: fix potential NULL ptr deref in ncm_bitrate() In Google internal bug 265639009 we've received an (as yet) unreproducible crash report from an aarch64 GKI 5.10.149-android13 running device. AFAICT the source code is at: https://android.googlesource.com/kernel/common/+/refs/tags/ASB-2022-12-05_13-5.10 The call stack is: ncm_close() -> ncm_notify() -> ncm_do_notify() with the crash at: ncm_do_notify+0x98/0x270 Code: 79000d0b b9000a6c f940012a f9400269 (b9405d4b) Which I believe disassembles to (I don't know ARM assembly, but it looks sane enough to me...): // halfword (16-bit) store presumably to event->wLength (at offset 6 of struct usb_cdc_notification) 0B 0D 00 79 strh w11, [x8, #6] // word (32-bit) store presumably to req->Length (at offset 8 of struct usb_request) 6C 0A 00 B9 str w12, [x19, #8] // x10 (NULL) was read here from offset 0 of valid pointer x9 // IMHO we're reading 'cdev->gadget' and getting NULL // gadget is indeed at offset 0 of struct usb_composite_dev 2A 01 40 F9 ldr x10, [x9] // loading req->buf pointer, which is at offset 0 of struct usb_request 69 02 40 F9 ldr x9, [x19] // x10 is null, crash, appears to be attempt to read cdev->gadget->max_speed 4B 5D 40 B9 ldr w11, [x10, #0x5c] which seems to line up with ncm_do_notify() case NCM_NOTIFY_SPEED code fragment: event->wLength = cpu_to_le16(8); req->length = NCM_STATUS_BYTECOUNT; /* SPEED_CHANGE data is up/down speeds in bits/sec */ data = req->buf + sizeof *event; data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget)); My analysis of registers and NULL ptr deref crash offset (Unable to handle kernel NULL pointer dereference at virtual address 000000000000005c) heavily suggests that the crash is due to 'cdev->gadget' being NULL when executing: data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget)); which calls: ncm_bitrate(NULL) which then calls: gadget_is_superspeed(NULL) which reads ((struct usb_gadget *)NULL)->max_speed and hits a panic. AFAICT, if I'm counting right, the offset of max_speed is indeed 0x5C. (remember there's a GKI KABI reservation of 16 bytes in struct work_struct) It's not at all clear to me how this is all supposed to work... but returning 0 seems much better than panic-ing...
AI Analysis
Technical Summary
CVE-2023-52894 is a vulnerability identified in the Linux kernel's USB gadget subsystem, specifically within the function ncm_bitrate() used by the f_ncm (Function Network Control Model) driver. The vulnerability arises from a potential NULL pointer dereference when the code attempts to access the 'gadget' member of the 'usb_composite_dev' structure without verifying its validity. This leads to a kernel panic due to an invalid memory access at offset 0x5C, corresponding to the 'max_speed' field of the 'usb_gadget' structure. The issue was observed in an aarch64 GKI (Generic Kernel Image) 5.10.149-android13 device, though the crash is currently unreproducible. The root cause is that the function ncm_do_notify() calls ncm_bitrate() with a NULL pointer, which then calls gadget_is_superspeed(NULL), resulting in the kernel dereferencing a NULL pointer. The vulnerability is triggered during USB CDC NCM (Network Control Model) notifications, particularly when handling speed change events. The fix involves adding proper NULL pointer checks to prevent the kernel from panicking and instead safely returning a default value. This vulnerability affects Linux kernel versions including the tagged commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and is relevant to devices using the f_ncm USB gadget driver, commonly found in embedded and mobile devices running Linux or Android kernels. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2023-52894 depends largely on their use of Linux-based embedded systems or Android devices that utilize the USB CDC NCM gadget driver. This vulnerability can cause kernel panics leading to denial of service (DoS) conditions on affected devices. In critical infrastructure sectors such as telecommunications, industrial control systems, or IoT deployments where Linux-based embedded devices are prevalent, this could result in service interruptions or device unavailability. Although the vulnerability does not appear to allow privilege escalation or arbitrary code execution, the resulting system crashes could disrupt operations, especially in environments relying on USB networking gadgets for connectivity or device management. The lack of known exploits reduces immediate risk, but the potential for DoS in embedded devices used in European enterprises and public sector deployments warrants attention. Additionally, Android devices running affected kernels could experience instability, impacting mobile workforce productivity or device reliability.
Mitigation Recommendations
To mitigate CVE-2023-52894, European organizations should: 1) Identify and inventory devices running affected Linux kernel versions, especially those using the f_ncm USB gadget driver, including embedded systems and Android devices with GKI 5.10.149 or similar kernels. 2) Apply vendor-supplied patches or kernel updates that include the fix for this NULL pointer dereference. If patches are not yet available, consider disabling the f_ncm gadget driver if it is not required for device functionality to reduce attack surface. 3) Implement monitoring for kernel panics or USB gadget subsystem errors in device logs to detect potential exploitation attempts or instability. 4) For Android devices, ensure timely OS and kernel updates through managed device update programs. 5) In environments where USB gadget functionality is critical, conduct controlled testing of updated kernels to confirm stability and absence of regressions. 6) Employ network segmentation and device isolation for embedded systems to limit the impact of potential DoS conditions caused by this vulnerability. 7) Collaborate with device vendors and Linux kernel maintainers to track patch releases and advisories related to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2023-52894: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: fix potential NULL ptr deref in ncm_bitrate() In Google internal bug 265639009 we've received an (as yet) unreproducible crash report from an aarch64 GKI 5.10.149-android13 running device. AFAICT the source code is at: https://android.googlesource.com/kernel/common/+/refs/tags/ASB-2022-12-05_13-5.10 The call stack is: ncm_close() -> ncm_notify() -> ncm_do_notify() with the crash at: ncm_do_notify+0x98/0x270 Code: 79000d0b b9000a6c f940012a f9400269 (b9405d4b) Which I believe disassembles to (I don't know ARM assembly, but it looks sane enough to me...): // halfword (16-bit) store presumably to event->wLength (at offset 6 of struct usb_cdc_notification) 0B 0D 00 79 strh w11, [x8, #6] // word (32-bit) store presumably to req->Length (at offset 8 of struct usb_request) 6C 0A 00 B9 str w12, [x19, #8] // x10 (NULL) was read here from offset 0 of valid pointer x9 // IMHO we're reading 'cdev->gadget' and getting NULL // gadget is indeed at offset 0 of struct usb_composite_dev 2A 01 40 F9 ldr x10, [x9] // loading req->buf pointer, which is at offset 0 of struct usb_request 69 02 40 F9 ldr x9, [x19] // x10 is null, crash, appears to be attempt to read cdev->gadget->max_speed 4B 5D 40 B9 ldr w11, [x10, #0x5c] which seems to line up with ncm_do_notify() case NCM_NOTIFY_SPEED code fragment: event->wLength = cpu_to_le16(8); req->length = NCM_STATUS_BYTECOUNT; /* SPEED_CHANGE data is up/down speeds in bits/sec */ data = req->buf + sizeof *event; data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget)); My analysis of registers and NULL ptr deref crash offset (Unable to handle kernel NULL pointer dereference at virtual address 000000000000005c) heavily suggests that the crash is due to 'cdev->gadget' being NULL when executing: data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget)); which calls: ncm_bitrate(NULL) which then calls: gadget_is_superspeed(NULL) which reads ((struct usb_gadget *)NULL)->max_speed and hits a panic. AFAICT, if I'm counting right, the offset of max_speed is indeed 0x5C. (remember there's a GKI KABI reservation of 16 bytes in struct work_struct) It's not at all clear to me how this is all supposed to work... but returning 0 seems much better than panic-ing...
AI-Powered Analysis
Technical Analysis
CVE-2023-52894 is a vulnerability identified in the Linux kernel's USB gadget subsystem, specifically within the function ncm_bitrate() used by the f_ncm (Function Network Control Model) driver. The vulnerability arises from a potential NULL pointer dereference when the code attempts to access the 'gadget' member of the 'usb_composite_dev' structure without verifying its validity. This leads to a kernel panic due to an invalid memory access at offset 0x5C, corresponding to the 'max_speed' field of the 'usb_gadget' structure. The issue was observed in an aarch64 GKI (Generic Kernel Image) 5.10.149-android13 device, though the crash is currently unreproducible. The root cause is that the function ncm_do_notify() calls ncm_bitrate() with a NULL pointer, which then calls gadget_is_superspeed(NULL), resulting in the kernel dereferencing a NULL pointer. The vulnerability is triggered during USB CDC NCM (Network Control Model) notifications, particularly when handling speed change events. The fix involves adding proper NULL pointer checks to prevent the kernel from panicking and instead safely returning a default value. This vulnerability affects Linux kernel versions including the tagged commit 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 and is relevant to devices using the f_ncm USB gadget driver, commonly found in embedded and mobile devices running Linux or Android kernels. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, the impact of CVE-2023-52894 depends largely on their use of Linux-based embedded systems or Android devices that utilize the USB CDC NCM gadget driver. This vulnerability can cause kernel panics leading to denial of service (DoS) conditions on affected devices. In critical infrastructure sectors such as telecommunications, industrial control systems, or IoT deployments where Linux-based embedded devices are prevalent, this could result in service interruptions or device unavailability. Although the vulnerability does not appear to allow privilege escalation or arbitrary code execution, the resulting system crashes could disrupt operations, especially in environments relying on USB networking gadgets for connectivity or device management. The lack of known exploits reduces immediate risk, but the potential for DoS in embedded devices used in European enterprises and public sector deployments warrants attention. Additionally, Android devices running affected kernels could experience instability, impacting mobile workforce productivity or device reliability.
Mitigation Recommendations
To mitigate CVE-2023-52894, European organizations should: 1) Identify and inventory devices running affected Linux kernel versions, especially those using the f_ncm USB gadget driver, including embedded systems and Android devices with GKI 5.10.149 or similar kernels. 2) Apply vendor-supplied patches or kernel updates that include the fix for this NULL pointer dereference. If patches are not yet available, consider disabling the f_ncm gadget driver if it is not required for device functionality to reduce attack surface. 3) Implement monitoring for kernel panics or USB gadget subsystem errors in device logs to detect potential exploitation attempts or instability. 4) For Android devices, ensure timely OS and kernel updates through managed device update programs. 5) In environments where USB gadget functionality is critical, conduct controlled testing of updated kernels to confirm stability and absence of regressions. 6) Employ network segmentation and device isolation for embedded systems to limit the impact of potential DoS conditions caused by this vulnerability. 7) Collaborate with device vendors and Linux kernel maintainers to track patch releases and advisories related to this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-08-21T06:07:11.013Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9831c4522896dcbe7853
Added to database: 5/21/2025, 9:09:05 AM
Last enriched: 7/1/2025, 8:24:49 AM
Last updated: 8/12/2025, 3:39:38 PM
Views: 17
Related Threats
CVE-2025-8293: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Theerawat Patthawee Intl DateTime Calendar
MediumCVE-2025-7686: CWE-352 Cross-Site Request Forgery (CSRF) in lmyoaoa weichuncai(WP伪春菜)
MediumCVE-2025-7684: CWE-352 Cross-Site Request Forgery (CSRF) in remysharp Last.fm Recent Album Artwork
MediumCVE-2025-7683: CWE-352 Cross-Site Request Forgery (CSRF) in janyksteenbeek LatestCheckins
MediumCVE-2025-7668: CWE-352 Cross-Site Request Forgery (CSRF) in timothyja Linux Promotional Plugin
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.