CVE-2026-31723
Analyzed Analyzed - Analysis Complete
Use-After-Free in Linux Kernel USB Gadget Subsystem

Publication date: 2026-05-01

Last updated on: 2026-05-07

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_subset: Fix net_device lifecycle with device_move The net_device is allocated during function instance creation and registered during the bind phase with the gadget device as its sysfs parent. When the function unbinds, the parent device is destroyed, but the net_device survives, resulting in dangling sysfs symlinks: console:/ # ls -l /sys/class/net/usb0 lrwxrwxrwx ... /sys/class/net/usb0 -> /sys/devices/platform/.../gadget.0/net/usb0 console:/ # ls -l /sys/devices/platform/.../gadget.0/net/usb0 ls: .../gadget.0/net/usb0: No such file or directory Use device_move() to reparent the net_device between the gadget device tree and /sys/devices/virtual across bind and unbind cycles. During the final unbind, calling device_move(NULL) moves the net_device to the virtual device tree before the gadget device is destroyed. On rebinding, device_move() reparents the device back under the new gadget, ensuring proper sysfs topology and power management ordering. To maintain compatibility with legacy composite drivers (e.g., multi.c), the bound flag is used to indicate whether the network device is shared and pre-registered during the legacy driver's bind phase.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-07
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-14
NVD
CVE-2026-31723
EUVD
EUVD-2026-26536
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.22 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.12 (exc)
linux linux_kernel From 3.11 (inc) to 6.12.81 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the Linux kernel relates to the lifecycle management of the net_device object within the USB gadget subsystem, specifically the f_subset function.

The net_device is created and registered with the gadget device as its sysfs parent during the bind phase. However, when the function unbinds, the parent gadget device is destroyed but the net_device remains, causing dangling symbolic links in sysfs.

The fix involves using device_move() to properly reparent the net_device between the gadget device tree and the virtual device tree during bind and unbind cycles. This ensures that during unbind, the net_device is moved to the virtual device tree before the gadget device is destroyed, preventing dangling links and maintaining correct sysfs topology and power management ordering.

Additionally, a bound flag is used to maintain compatibility with legacy composite drivers by indicating whether the network device is shared and pre-registered.

Impact Analysis

This vulnerability can lead to dangling sysfs symbolic links for network devices after the USB gadget function unbinds. These dangling links may cause confusion or errors in system management tools or scripts that rely on sysfs for device information.

Improper device lifecycle management could potentially affect power management ordering and system stability related to USB network devices.

However, there is no indication from the provided information that this vulnerability leads to privilege escalation, data leakage, or direct security compromise.

Compliance Impact

The provided information about the vulnerability in the Linux kernel's usb gadget subsystem does not include any details regarding its impact on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability can be detected by checking for dangling sysfs symlinks related to the net_device associated with USB gadget functions. Specifically, you can look for network devices under /sys/class/net that point to non-existent paths in the gadget device tree.

  • Run the command: ls -l /sys/class/net/usb0
  • Then check the target of the symlink with: ls -l /sys/devices/platform/.../gadget.0/net/usb0

If the second command returns 'No such file or directory', it indicates a dangling symlink caused by the net_device surviving after the parent gadget device is destroyed, which is the core issue of this vulnerability.

Mitigation Strategies

To mitigate this vulnerability, ensure that the Linux kernel version you are using includes the fix that properly manages the net_device lifecycle with device_move().

This fix involves using device_move() to reparent the net_device between the gadget device tree and the virtual device tree during bind and unbind cycles, preventing dangling sysfs symlinks.

If you are using legacy composite drivers, verify that the bound flag is correctly used to indicate shared and pre-registered network devices during the bind phase.

In practice, this means updating your kernel to a version that includes this patch or applying the patch manually if possible.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31723. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart