CVE-2026-31754
Analyzed Analyzed - Analysis Complete
USB Gadget State Inconsistency in Linux Kernel

Publication date: 2026-05-01

Last updated on: 2026-05-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: gadget: fix state inconsistency on gadget init failure When cdns3_gadget_start() fails, the DRD hardware is left in gadget mode while software state remains INACTIVE, creating hardware/software state inconsistency. When switching to host mode via sysfs: echo host > /sys/class/usb_role/13180000.usb-role-switch/role The role state is not set to CDNS_ROLE_STATE_ACTIVE due to the error, so cdns_role_stop() skips cleanup because state is still INACTIVE. This violates the DRD controller design specification (Figure22), which requires returning to idle state before switching roles. This leads to a synchronous external abort in xhci_gen_setup() when setting up the host controller: [ 516.440698] configfs-gadget 13180000.usb: failed to start g1: -19 [ 516.442035] cdns-usb3 13180000.usb: Failed to add gadget [ 516.443278] cdns-usb3 13180000.usb: set role 2 has failed ... [ 1301.375722] xhci-hcd xhci-hcd.1.auto: xHCI Host Controller [ 1301.377716] Internal error: synchronous external abort: 96000010 [#1] PREEMPT SMP [ 1301.382485] pc : xhci_gen_setup+0xa4/0x408 [ 1301.393391] backtrace: ... xhci_gen_setup+0xa4/0x408 <-- CRASH xhci_plat_setup+0x44/0x58 usb_add_hcd+0x284/0x678 ... cdns_role_set+0x9c/0xbc <-- Role switch Fix by calling cdns_drd_gadget_off() in the error path to properly clean up the DRD gadget state.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-08
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31754
EUVD
EUVD-2026-26567
Affected Vendors & Products
Showing 12 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.22 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.168 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.12 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.81 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.134 (exc)
linux linux_kernel From 5.4 (inc) to 5.15.203 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in the Linux kernel's cdns3 USB gadget driver. When the function cdns3_gadget_start() fails, the Dual Role Device (DRD) hardware remains stuck in gadget mode, while the software state incorrectly remains INACTIVE. This mismatch between hardware and software states violates the DRD controller design specification, which requires the device to return to an idle state before switching roles.

As a result, when attempting to switch the USB role to host mode via sysfs, the role state is not properly updated, causing cleanup functions to be skipped. This leads to a synchronous external abort (a type of system crash) in the xHCI host controller setup process, causing kernel errors and instability.

The fix involves properly cleaning up the DRD gadget state by calling cdns_drd_gadget_off() in the error path to prevent this hardware/software state inconsistency.

Impact Analysis

This vulnerability can cause the Linux kernel to crash or become unstable due to a synchronous external abort in the USB host controller when switching USB roles. This can lead to system crashes, loss of data, or denial of service on affected devices using the cdns3 USB gadget driver.

Devices relying on USB role switching between gadget and host modes may experience failures or unexpected behavior, potentially disrupting normal operation and requiring a system reboot.

Detection Guidance

This vulnerability can be detected by monitoring system logs for specific error messages related to the cdns3 USB gadget driver and the xHCI host controller.

  • Look for messages such as 'configfs-gadget 13180000.usb: failed to start g1: -19', 'cdns-usb3 13180000.usb: Failed to add gadget', and 'cdns-usb3 13180000.usb: set role 2 has failed' in the kernel logs.
  • Check for synchronous external abort errors in the xHCI host controller, e.g., 'xhci-hcd xhci-hcd.1.auto: xHCI Host Controller Internal error: synchronous external abort'.
  • Use the command 'dmesg | grep -E "failed to start g1|Failed to add gadget|set role 2 has failed|synchronous external abort"' to filter relevant kernel messages.
  • Monitor the USB role switching status by checking the content of '/sys/class/usb_role/13180000.usb-role-switch/role' and related sysfs entries.
Mitigation Strategies

To mitigate this vulnerability, ensure that the Linux kernel version in use includes the fix that properly cleans up the DRD gadget state by calling cdns_drd_gadget_off() on gadget initialization failure.

If an update is not immediately available, avoid switching USB roles on affected hardware to prevent the hardware/software state inconsistency.

Monitor system logs for the described errors and avoid operations that trigger the cdns3 gadget initialization failure until the patch is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31754. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart