CVE-2026-31721
Awaiting Analysis Awaiting Analysis - Queue
USB HID Gadget Use-After-Free in Linux Kernel

Publication date: 2026-05-01

Last updated on: 2026-05-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_hid: move list and spinlock inits from bind to alloc There was an issue when you did the following: - setup and bind an hid gadget - open /dev/hidg0 - use the resulting fd in EPOLL_CTL_ADD - unbind the UDC - bind the UDC - use the fd in EPOLL_CTL_DEL When CONFIG_DEBUG_LIST was enabled, a list_del corruption was reported within remove_wait_queue (via ep_remove_wait_queue). After some debugging I found out that the queues, which f_hid registers via poll_wait were the problem. These were initialized using init_waitqueue_head inside hidg_bind. So effectively, the bind function re-initialized the queues while there were still items in them. The solution is to move the initialization from hidg_bind to hidg_alloc to extend their lifetimes to the lifetime of the function instance. Additionally, I found many other possibly problematic init calls in the bind function, which I moved as well.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-06
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-14
NVD
CVE-2026-31721
EUVD
EUVD-2026-26534
Affected Vendors & Products
Showing 13 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.22 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.169 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.135 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.12 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.81 (exc)
linux linux_kernel From 3.19 (inc) to 5.10.253 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's USB gadget HID function (f_hid). It occurs when setting up and binding an HID gadget, opening /dev/hidg0, using the file descriptor in EPOLL_CTL_ADD, unbinding and rebinding the USB Device Controller (UDC), and then using the file descriptor in EPOLL_CTL_DEL.

The root cause is that the wait queues registered by f_hid via poll_wait were initialized inside the bind function (hidg_bind) using init_waitqueue_head. This re-initialization happened while there were still items in the queues, leading to list_del corruption when CONFIG_DEBUG_LIST was enabled.

The fix involved moving the initialization of these queues from the bind function to the allocation function (hidg_alloc), ensuring the queues' lifetimes match the function instance and preventing corruption.

Impact Analysis

This vulnerability can cause list corruption within the kernel when using HID gadget devices under specific conditions involving binding and unbinding the USB Device Controller and manipulating file descriptors with epoll.

Such corruption may lead to kernel instability, crashes, or unpredictable behavior of USB HID gadgets, potentially affecting system reliability and security.

Mitigation Strategies

The vulnerability is resolved by moving the initialization of certain lists and spinlocks from the bind function to the alloc function in the Linux kernel's HID gadget driver. To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

Specifically, ensure that your kernel version includes the patch that moves the initialization of wait queues from hidg_bind to hidg_alloc, preventing list_del corruption when using EPOLL_CTL_ADD and EPOLL_CTL_DEL on /dev/hidg0 file descriptors.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31721. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart