CVE-2026-31728
Analyzed Analyzed - Analysis Complete
Race Condition in Linux Kernel USB Gadget Driver

Publication date: 2026-05-01

Last updated on: 2026-05-07

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: u_ether: Fix race between gether_disconnect and eth_stop A race condition between gether_disconnect() and eth_stop() leads to a NULL pointer dereference. Specifically, if eth_stop() is triggered concurrently while gether_disconnect() is tearing down the endpoints, eth_stop() attempts to access the cleared endpoint descriptor, causing the following NPE: Unable to handle kernel NULL pointer dereference Call trace: __dwc3_gadget_ep_enable+0x60/0x788 dwc3_gadget_ep_enable+0x70/0xe4 usb_ep_enable+0x60/0x15c eth_stop+0xb8/0x108 Because eth_stop() crashes while holding the dev->lock, the thread running gether_disconnect() fails to acquire the same lock and spins forever, resulting in a hardlockup: Core - Debugging Information for Hardlockup core(7) Call trace: queued_spin_lock_slowpath+0x94/0x488 _raw_spin_lock+0x64/0x6c gether_disconnect+0x19c/0x1e8 ncm_set_alt+0x68/0x1a0 composite_setup+0x6a0/0xc50 The root cause is that the clearing of dev->port_usb in gether_disconnect() is delayed until the end of the function. Move the clearing of dev->port_usb to the very beginning of gether_disconnect() while holding dev->lock. This cuts off the link immediately, ensuring eth_stop() will see dev->port_usb as NULL and safely bail out.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-07
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31728
EUVD
EUVD-2026-26541
Affected Vendors & Products
Showing 13 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.22 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.169 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.12 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.81 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.134 (exc)
linux linux_kernel From 2.6.27 (inc) to 5.10.253 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a race condition in the Linux kernel's USB gadget Ethernet driver (u_ether). It occurs between two functions: gether_disconnect() and eth_stop(). When eth_stop() is triggered at the same time gether_disconnect() is tearing down USB endpoints, eth_stop() tries to access an endpoint descriptor that has already been cleared, causing a NULL pointer dereference (NPE).

Because eth_stop() crashes while holding a device lock, the gether_disconnect() function cannot acquire the same lock and ends up spinning forever, causing a hardlockup (system freeze). The root cause is that the clearing of a device pointer (dev->port_usb) is delayed until the end of gether_disconnect(). The fix moves this clearing to the beginning of gether_disconnect() while holding the lock, ensuring eth_stop() sees the pointer as NULL and safely exits.

Impact Analysis

This vulnerability can cause the Linux kernel to crash due to a NULL pointer dereference and subsequently lead to a hardlockup where the system becomes unresponsive. This can result in denial of service (DoS) conditions, affecting system stability and availability.

Mitigation Strategies

The vulnerability is caused by a race condition in the Linux kernel's usb gadget u_ether driver, leading to a NULL pointer dereference and a hardlockup.

To mitigate this vulnerability, update the Linux kernel to a version where the fix has been applied. The fix involves moving the clearing of dev->port_usb to the very beginning of gether_disconnect() while holding dev->lock, preventing eth_stop() from accessing a cleared endpoint descriptor.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31728. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart