CVE-2026-31722
Use-After-Free in Linux Kernel USB Gadget
Publication date: 2026-05-01
Last updated on: 2026-05-06
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | From 6.13 (inc) to 6.18.22 (exc) |
| linux | linux_kernel | From 6.19 (inc) to 6.19.12 (exc) |
| linux | linux_kernel | From 3.11 (inc) to 6.12.81 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's USB gadget function f_rndis. The issue arises because the net_device object is allocated during function instance creation and registered with the gadget device as its sysfs parent during the bind phase. However, when the function unbinds, the parent device is destroyed but the net_device remains, causing dangling sysfs symbolic links that point to non-existent locations.
The fix involves using the device_move() function to reparent the net_device between the gadget device tree and the virtual device tree across bind and unbind cycles. Specifically, during the final unbind, device_move(NULL) moves the net_device to the virtual device tree before the gadget device is destroyed, preventing dangling links. When rebinding, device_move() reparents the net_device back under the new gadget device, ensuring proper sysfs topology and power management ordering.
Additionally, a borrowed_net flag is used to maintain compatibility with legacy composite drivers by indicating whether the network device is shared and pre-registered during the legacy driver's bind phase.
How can this vulnerability impact me? :
This vulnerability can lead to dangling sysfs symbolic links, which means that references to network devices in the sysfs filesystem point to non-existent or destroyed devices. This can cause confusion or errors in system management tools or scripts that rely on sysfs for device information.
Improper device lifecycle management may also affect power management ordering and system stability related to USB gadget network devices. While the vulnerability does not directly indicate remote code execution or privilege escalation, it can cause inconsistencies in device state representation and potentially impact system reliability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for dangling sysfs symlinks related to the net_device associated with the USB gadget function. Specifically, you can look for symbolic links under /sys/class/net/usb0 that point to non-existent directories.
For example, running the following commands can help identify the issue:
- ls -l /sys/class/net/usb0
- ls -l /sys/devices/platform/.../gadget.0/net/usb0
If the second command returns 'No such file or directory' while the first shows a symlink, it indicates the presence of a dangling sysfs symlink caused by the net_device surviving after the parent gadget device is destroyed.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, the Linux kernel has been updated to properly manage the lifecycle of the net_device associated with the USB gadget function.
The fix involves using the device_move() function to reparent the net_device between the gadget device tree and the virtual device tree during bind and unbind cycles. Specifically, during the final unbind, device_move(NULL) moves the net_device to the virtual device tree before the gadget device is destroyed, preventing dangling symlinks.
Therefore, the immediate step is to update your Linux kernel to a version that includes this fix.