CVE-2026-31728
Awaiting Analysis Awaiting Analysis - Queue
Race Condition in Linux Kernel USB Gadget Driver

Publication date: 2026-05-01

Last updated on: 2026-05-01

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: u_ether: Fix race between gether_disconnect and eth_stop A race condition between gether_disconnect() and eth_stop() leads to a NULL pointer dereference. Specifically, if eth_stop() is triggered concurrently while gether_disconnect() is tearing down the endpoints, eth_stop() attempts to access the cleared endpoint descriptor, causing the following NPE: Unable to handle kernel NULL pointer dereference Call trace: __dwc3_gadget_ep_enable+0x60/0x788 dwc3_gadget_ep_enable+0x70/0xe4 usb_ep_enable+0x60/0x15c eth_stop+0xb8/0x108 Because eth_stop() crashes while holding the dev->lock, the thread running gether_disconnect() fails to acquire the same lock and spins forever, resulting in a hardlockup: Core - Debugging Information for Hardlockup core(7) Call trace: queued_spin_lock_slowpath+0x94/0x488 _raw_spin_lock+0x64/0x6c gether_disconnect+0x19c/0x1e8 ncm_set_alt+0x68/0x1a0 composite_setup+0x6a0/0xc50 The root cause is that the clearing of dev->port_usb in gether_disconnect() is delayed until the end of the function. Move the clearing of dev->port_usb to the very beginning of gether_disconnect() while holding dev->lock. This cuts off the link immediately, ensuring eth_stop() will see dev->port_usb as NULL and safely bail out.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-01
Generated
2026-05-07
AI Q&A
2026-05-01
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31728
EUVD
EUVD-2026-26541
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a race condition in the Linux kernel's USB gadget Ethernet driver (u_ether). It occurs between two functions: gether_disconnect() and eth_stop(). When eth_stop() is triggered at the same time gether_disconnect() is tearing down USB endpoints, eth_stop() tries to access an endpoint descriptor that has already been cleared, causing a NULL pointer dereference (NPE).

Because eth_stop() crashes while holding a device lock, the gether_disconnect() function cannot acquire the same lock and ends up spinning forever, causing a hardlockup (system freeze). The root cause is that the clearing of a device pointer (dev->port_usb) is delayed until the end of gether_disconnect(). The fix moves this clearing to the beginning of gether_disconnect() while holding the lock, ensuring eth_stop() sees the pointer as NULL and safely exits.


How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel to crash due to a NULL pointer dereference and subsequently lead to a hardlockup where the system becomes unresponsive. This can result in denial of service (DoS) conditions, affecting system stability and availability.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is caused by a race condition in the Linux kernel's usb gadget u_ether driver, leading to a NULL pointer dereference and a hardlockup.

To mitigate this vulnerability, update the Linux kernel to a version where the fix has been applied. The fix involves moving the clearing of dev->port_usb to the very beginning of gether_disconnect() while holding dev->lock, preventing eth_stop() from accessing a cleared endpoint descriptor.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart