CVE-2026-31754
USB Gadget State Inconsistency in Linux Kernel
Publication date: 2026-05-01
Last updated on: 2026-05-01
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in the Linux kernel's cdns3 USB gadget driver. When the function cdns3_gadget_start() fails, the Dual Role Device (DRD) hardware remains stuck in gadget mode, while the software state incorrectly remains INACTIVE. This mismatch between hardware and software states violates the DRD controller design specification, which requires the device to return to an idle state before switching roles.
As a result, when attempting to switch the USB role to host mode via sysfs, the role state is not properly updated, causing cleanup functions to be skipped. This leads to a synchronous external abort (a type of system crash) in the xHCI host controller setup process, causing kernel errors and instability.
The fix involves properly cleaning up the DRD gadget state by calling cdns_drd_gadget_off() in the error path to prevent this hardware/software state inconsistency.
How can this vulnerability impact me? :
This vulnerability can cause the Linux kernel to crash or become unstable due to a synchronous external abort in the USB host controller when switching USB roles. This can lead to system crashes, loss of data, or denial of service on affected devices using the cdns3 USB gadget driver.
Devices relying on USB role switching between gadget and host modes may experience failures or unexpected behavior, potentially disrupting normal operation and requiring a system reboot.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring system logs for specific error messages related to the cdns3 USB gadget driver and the xHCI host controller.
- Look for messages such as 'configfs-gadget 13180000.usb: failed to start g1: -19', 'cdns-usb3 13180000.usb: Failed to add gadget', and 'cdns-usb3 13180000.usb: set role 2 has failed' in the kernel logs.
- Check for synchronous external abort errors in the xHCI host controller, e.g., 'xhci-hcd xhci-hcd.1.auto: xHCI Host Controller Internal error: synchronous external abort'.
- Use the command 'dmesg | grep -E "failed to start g1|Failed to add gadget|set role 2 has failed|synchronous external abort"' to filter relevant kernel messages.
- Monitor the USB role switching status by checking the content of '/sys/class/usb_role/13180000.usb-role-switch/role' and related sysfs entries.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that the Linux kernel version in use includes the fix that properly cleans up the DRD gadget state by calling cdns_drd_gadget_off() on gadget initialization failure.
If an update is not immediately available, avoid switching USB roles on affected hardware to prevent the hardware/software state inconsistency.
Monitor system logs for the described errors and avoid operations that trigger the cdns3 gadget initialization failure until the patch is applied.