CVE-2026-31724
Use-After-Free in Linux Kernel USB Gadget EEM Driver
Publication date: 2026-05-01
Last updated on: 2026-05-01
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's USB gadget function f_eem, related to the lifecycle management of the net_device structure.
The net_device is allocated when the function instance is created and registered during the bind phase with the gadget device as its sysfs parent. However, when the function unbinds, the parent gadget device is destroyed but the net_device remains, causing dangling sysfs symbolic links that point to non-existent locations.
The fix involves using device_move() to properly reparent the net_device between the gadget device tree and the virtual device tree during bind and unbind cycles. This ensures that during unbind, the net_device is moved to the virtual device tree before the gadget device is destroyed, preventing dangling links and maintaining correct sysfs topology and power management ordering.
Additionally, a bound flag is used to maintain compatibility with legacy composite drivers by indicating whether the network device is shared and pre-registered during the legacy driver's bind phase.
How can this vulnerability impact me? :
This vulnerability can lead to dangling sysfs symbolic links that reference net_device entries which no longer exist. This can cause confusion or errors in system management tools or scripts that rely on sysfs for device information.
Improper lifecycle management of net_device objects may also affect power management ordering and system stability related to USB gadget network devices.
While the description does not explicitly mention security exploits, the presence of dangling device references could potentially be leveraged in complex attack scenarios or cause system misbehavior.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for dangling sysfs symlinks related to the net_device associated with USB gadget functions. Specifically, you can look for symbolic links in /sys/class/net/usb0 that point to non-existent directories under /sys/devices/platform/.../gadget.0/net/usb0.
A command example to detect this issue is:
- ls -l /sys/class/net/usb0
- ls -l /sys/devices/platform/.../gadget.0/net/usb0
If the second command returns "No such file or directory" while the first shows a symlink, it indicates the presence of the dangling symlink caused by the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that the Linux kernel version you are using includes the fix that properly manages the net_device lifecycle with device_move().
The fix involves using device_move() to reparent the net_device between the gadget device tree and /sys/devices/virtual during bind and unbind cycles. This prevents dangling sysfs symlinks by moving the net_device to the virtual device tree before the gadget device is destroyed.
Therefore, the immediate step is to update your Linux kernel to a version that contains this fix.