CVE-2026-31726
Awaiting Analysis Awaiting Analysis - Queue
NULL pointer dereference in Linux kernel USB gadget UVC driver

Publication date: 2026-05-01

Last updated on: 2026-05-01

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: uvc: fix NULL pointer dereference during unbind race Commit b81ac4395bbe ("usb: gadget: uvc: allow for application to cleanly shutdown") introduced two stages of synchronization waits totaling 1500ms in uvc_function_unbind() to prevent several types of kernel panics. However, this timing-based approach is insufficient during power management (PM) transitions. When the PM subsystem starts freezing user space processes, the wait_event_interruptible_timeout() is aborted early, which allows the unbind thread to proceed and nullify the gadget pointer (cdev->gadget = NULL): [ 814.123447][ T947] configfs-gadget.g1 gadget.0: uvc: uvc_function_unbind() [ 814.178583][ T3173] PM: suspend entry (deep) [ 814.192487][ T3173] Freezing user space processes [ 814.197668][ T947] configfs-gadget.g1 gadget.0: uvc: uvc_function_unbind no clean disconnect, wait for release When the PM subsystem resumes or aborts the suspend and tasks are restarted, the V4L2 release path is executed and attempts to access the already nullified gadget pointer, triggering a kernel panic: [ 814.292597][ C0] PM: pm_system_irq_wakeup: 479 triggered dhdpcie_host_wake [ 814.386727][ T3173] Restarting tasks ... [ 814.403522][ T4558] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000030 [ 814.404021][ T4558] pc : usb_gadget_deactivate+0x14/0xf4 [ 814.404031][ T4558] lr : usb_function_deactivate+0x54/0x94 [ 814.404078][ T4558] Call trace: [ 814.404080][ T4558] usb_gadget_deactivate+0x14/0xf4 [ 814.404083][ T4558] usb_function_deactivate+0x54/0x94 [ 814.404087][ T4558] uvc_function_disconnect+0x1c/0x5c [ 814.404092][ T4558] uvc_v4l2_release+0x44/0xac [ 814.404095][ T4558] v4l2_release+0xcc/0x130 Address the race condition and NULL pointer dereference by: 1. State Synchronization (flag + mutex) Introduce a 'func_unbound' flag in struct uvc_device. This allows uvc_function_disconnect() to safely skip accessing the nullified cdev->gadget pointer. As suggested by Alan Stern, this flag is protected by a new mutex (uvc->lock) to ensure proper memory ordering and prevent instruction reordering or speculative loads. This mutex is also used to protect 'func_connected' for consistent state management. 2. Explicit Synchronization (completion) Use a completion to synchronize uvc_function_unbind() with the uvc_vdev_release() callback. This prevents Use-After-Free (UAF) by ensuring struct uvc_device is freed after all video device resources are released.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-01
Generated
2026-05-07
AI Q&A
2026-05-01
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31726
EUVD
EUVD-2026-26539
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
linux_kernel linux_kernel *
linux kernel *
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a NULL pointer dereference in the Linux kernel's USB gadget UVC (USB Video Class) driver that occurs during a race condition in the unbind process.

Specifically, during power management transitions, the unbind thread can proceed prematurely and nullify a gadget pointer. Later, when the system resumes, the release path tries to access this nullified pointer, causing a kernel panic.

The issue arises because the previous synchronization method, which relied on timing waits, is insufficient when user space processes are frozen during power management. The fix involves adding explicit state synchronization using a flag and mutex, and completion synchronization to prevent use-after-free conditions.


How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel to panic due to a NULL pointer dereference, leading to a system crash.

Such kernel panics can result in system instability, unexpected reboots, and potential loss of data or service availability, especially on systems using the USB gadget UVC driver during power management events.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability manifests as a kernel NULL pointer dereference during power management transitions, which can cause kernel panics. Detection involves monitoring system logs for specific kernel panic messages related to the USB gadget UVC function.

  • Check kernel logs for messages like 'uvc_function_unbind no clean disconnect, wait for release' and 'Unable to handle kernel NULL pointer dereference at virtual address 0000000000000030'.
  • Use the command: dmesg | grep -i 'uvc_function_unbind'
  • Use the command: journalctl -k | grep -i 'uvc_function_unbind'
  • Look for kernel panic traces involving usb_gadget_deactivate, usb_function_deactivate, and uvc_function_disconnect in system logs.

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update the Linux kernel to a version that includes the fix addressing the NULL pointer dereference in the USB gadget UVC function.

The fix involves synchronization improvements such as introducing a 'func_unbound' flag protected by a mutex and using completion synchronization to prevent use-after-free conditions.

Until the patch is applied, avoid power management transitions (suspend/resume) on systems using the affected USB gadget UVC function to reduce the risk of kernel panics.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart