CVE-2026-31728
Race Condition in Linux Kernel USB Gadget Driver
Publication date: 2026-05-01
Last updated on: 2026-05-07
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | From 5.11 (inc) to 5.15.203 (exc) |
| linux | linux_kernel | From 6.13 (inc) to 6.18.22 (exc) |
| linux | linux_kernel | From 5.16 (inc) to 6.1.169 (exc) |
| linux | linux_kernel | From 6.19 (inc) to 6.19.12 (exc) |
| linux | linux_kernel | From 6.7 (inc) to 6.12.81 (exc) |
| linux | linux_kernel | From 6.2 (inc) to 6.6.134 (exc) |
| linux | linux_kernel | From 2.6.27 (inc) to 5.10.253 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-362 | The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a race condition in the Linux kernel's USB gadget Ethernet driver (u_ether). It occurs between two functions: gether_disconnect() and eth_stop(). When eth_stop() is triggered at the same time gether_disconnect() is tearing down USB endpoints, eth_stop() tries to access an endpoint descriptor that has already been cleared, causing a NULL pointer dereference (NPE).
Because eth_stop() crashes while holding a device lock, the gether_disconnect() function cannot acquire the same lock and ends up spinning forever, causing a hardlockup (system freeze). The root cause is that the clearing of a device pointer (dev->port_usb) is delayed until the end of gether_disconnect(). The fix moves this clearing to the beginning of gether_disconnect() while holding the lock, ensuring eth_stop() sees the pointer as NULL and safely exits.
How can this vulnerability impact me? :
This vulnerability can cause the Linux kernel to crash due to a NULL pointer dereference and subsequently lead to a hardlockup where the system becomes unresponsive. This can result in denial of service (DoS) conditions, affecting system stability and availability.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is caused by a race condition in the Linux kernel's usb gadget u_ether driver, leading to a NULL pointer dereference and a hardlockup.
To mitigate this vulnerability, update the Linux kernel to a version where the fix has been applied. The fix involves moving the clearing of dev->port_usb to the very beginning of gether_disconnect() while holding dev->lock, preventing eth_stop() from accessing a cleared endpoint descriptor.