Linux Set to Silence Insecure Microsoft RNDIS in 2026

Greg Kroah-Hartman updated his rndis branch again on May 31. The Linux kernel maintainer added patches that would disable every driver tied to Microsoft’s Remote Network Driver Interface Specification. For years the protocol has lingered in the kernel despite repeated warnings. Now the end appears near.

The move caps a saga that began in early 2023. Back then Kroah-Hartman first proposed marking the RNDIS code as broken. He argued the design itself invited trouble. “The Microsoft RNDIS protocol is, as designed, insecure and vulnerable on any system that uses it with untrusted hosts or devices,” he wrote in the commit message. “Because the protocol is impossible to make secure, just disable all rndis drivers to prevent anyone from using them again.” That language has stayed consistent across updates.

Phoronix first covered the initial push in January 2023. Phoronix reported on the latest activity just hours after the branch refresh. The site noted that activity had quieted since 2024 before this fresh signal. One patch directly disables the protocol drivers. Another addresses a host-side issue with invalid sizes. Both sit in Greg Kroah-Hartman’s personal git tree at kernel.org.

Why does RNDIS matter? It turns a USB connection into a virtual Ethernet link. Microsoft created it for Windows XP and later. Device makers adopted it for tethering phones and providing network access without separate drivers. Linux added support. Android used it too. But the protocol assumes a trusted environment. That assumption fails in the real world.

Attackers can exploit the complexity. Race conditions surface. Memory issues appear. Recent CVEs tied to the f_rndis gadget driver underscore the point. SentinelOne documented CVE-2026-43342, a race condition in how RNDIS options are accessed. Similar flaws have appeared before. Each one reminds maintainers why the code should go.

Yet removal has not been simple. Some embedded devices and older hardware still rely on it. USB tethering on certain phones breaks without RNDIS. Android itself moved away years ago, switching to NCM. That precedent gives kernel developers confidence few legitimate users remain.

Kroah-Hartman has made the case repeatedly. Windows systems older than XP can fall back to standard USB class protocols. Those do not carry the same risks. Newer Windows installations include RNDIS but no longer install it automatically. Neowin highlighted this oddity in January 2025. Linux is shedding a Microsoft protocol that Windows 10 and 11 still ship, albeit passively. Neowin detailed how the commit landed in late 2024 after the 2022 proposal.

ZDNet explored the complications in 2023. The article quoted Kroah-Hartman on the LKML and noted that alternatives exist. Network Control Model offers stronger security. CDC Ethernet provides a cleaner path. Both see better support in modern kernels. Yet many Android devices refuse to switch. Tethering fails. Users complain. That friction slowed progress for three years. ZDNet explained why the change felt messy despite the clear security win.

Security teams now face concrete work. LinuxSecurity.com published guidance on the shift. The site urged administrators to prepare for drivers disappearing by early 2025 if momentum holds. It recommended enabling CONFIG_USB_NET_CDCETHER instead. That option delivers Ethernet over USB through the CDC-ECM class. The implementation stays simpler. Audits become easier. Risks drop. LinuxSecurity.com laid out steps for kernel configuration and monitoring upstream channels.

But. The transition carries edge cases. Industrial systems. Legacy test equipment. Custom boards that never updated firmware. Distributors may carry patches to keep RNDIS alive for paying customers. Out-of-tree modules could surface. The kernel community has seen this pattern with other deprecated subsystems.

Recent kernel cleanup trends add context. Linus Torvalds merged massive deletions of old network code, ISDN, and ham radio drivers in 2025. Many removals responded to LLM-generated bug reports that overwhelmed maintainers. LWN.net reported on the pattern in April 2026. RNDIS fits the same logic. Unused or insecure code drains attention. Better to excise it.

Distributions will react at different speeds. Some may blacklist usb_f_rndis immediately. Others will wait for the code to vanish from mainline. Enterprise kernels often lag. Embedded vendors might resist longest. The result? Fragmentation until the old protocol fades from memory.

Android’s early exit offers a clue. Once Google disabled RNDIS, complaints stayed minimal. Modern phones favor NCM or direct USB Ethernet. Linux gadgets can follow. The kernel already ships capable drivers. Configuration just needs attention.

Greg Kroah-Hartman maintains the stable series. His persistence matters. Each branch update keeps the pressure on. The 2026 kernel could mark the official disablement. Code might linger behind a BROKEN flag first, then disappear entirely. That’s the pattern he described years ago.

Organizations scanning their fleets should act now. Identify any USB gadget configurations that bind to RNDIS functions. Audit configfs setups. Test CDC-ECM equivalents in staging environments. The change will not wait forever. When the patch set lands in linux-next, migration timelines tighten.

Critics may call the removal overdue. Defenders of compatibility will argue for one more delay. The evidence tilts heavily toward removal. The protocol cannot be fixed. Modern substitutes exist. Legacy use cases shrink. Security wins.

So the kernel inches forward. One more insecure corner cleaned. Users gain a smaller attack surface. Maintainers lose one headache. The internet rarely notices until something breaks. This time the break is intentional. And deliberate. The protocol that should never have spread so far finally meets its end.