CVE-2026-31725
Use-After-Free in Linux Kernel USB Gadget ECM
Publication date: 2026-05-01
Last updated on: 2026-05-01
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in the Linux kernel's USB gadget function (f_ecm) related to the lifecycle management of the net_device object. When a USB gadget function binds, it creates and registers a net_device with the gadget device as its sysfs parent. However, when the function unbinds, the parent gadget device is destroyed but the net_device remains, causing dangling sysfs symbolic links that point to non-existent locations.
The fix involves using the device_move() function to properly reparent the net_device between the gadget device tree and the virtual device tree during bind and unbind cycles. Specifically, during unbind, device_move(NULL) moves the net_device to the virtual device tree before the gadget device is destroyed, preventing dangling links. On rebinding, device_move() reparents the net_device back under the new gadget device, ensuring correct sysfs topology and power management ordering.
Additionally, a bound flag is used to maintain compatibility with legacy composite drivers by indicating whether the network device is shared and pre-registered during the legacy driver's bind phase.
How can this vulnerability impact me? :
This vulnerability can lead to dangling sysfs symbolic links that reference non-existent net_device entries after the USB gadget function unbinds. This can cause confusion or errors in system management tools or scripts that rely on sysfs to monitor or manage network devices.
Improper device lifecycle management may also affect power management ordering and system stability related to USB network devices, potentially leading to unexpected behavior or resource leaks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for dangling sysfs symlinks related to the net_device after the gadget device has been unbound. Specifically, you can look for symbolic links in /sys/class/net/usb0 that point to non-existent directories under /sys/devices/platform/.../gadget.0/net/usb0.
A suggested command to detect this issue is:
- ls -l /sys/class/net/usb0
- ls -l /sys/devices/platform/.../gadget.0/net/usb0
If the second command returns 'No such file or directory' while the first shows a symlink, it indicates the presence of the dangling symlink caused by this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that the Linux kernel is updated to a version where the fix has been applied. The fix involves using device_move() to properly reparent the net_device between the gadget device tree and /sys/devices/virtual during bind and unbind cycles.
Specifically, during the final unbind, device_move(NULL) should be called to move the net_device to the virtual device tree before the gadget device is destroyed. On rebinding, device_move() should reparent the device back under the new gadget.
If updating the kernel is not immediately possible, monitor for dangling sysfs symlinks as a temporary detection measure and avoid unbinding gadget devices unnecessarily.