CVE-2026-31755
Awaiting Analysis Awaiting Analysis - Queue
NULL pointer dereference in Linux kernel USB gadget driver

Publication date: 2026-05-01

Last updated on: 2026-05-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: gadget: fix NULL pointer dereference in ep_queue When the gadget endpoint is disabled or not yet configured, the ep->desc pointer can be NULL. This leads to a NULL pointer dereference when __cdns3_gadget_ep_queue() is called, causing a kernel crash. Add a check to return -ESHUTDOWN if ep->desc is NULL, which is the standard return code for unconfigured endpoints. This prevents potential crashes when ep_queue is called on endpoints that are not ready.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-08
Generated
2026-05-27
AI Q&A
2026-05-01
EPSS Evaluated
2026-05-26
NVD
CVE-2026-31755
EUVD
EUVD-2026-26568
Affected Vendors & Products
Showing 12 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.22 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.168 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.12 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.81 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.134 (exc)
linux linux_kernel From 5.4 (inc) to 5.15.203 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's USB gadget driver for cdns3. Specifically, when a gadget endpoint is disabled or not yet configured, a pointer called ep->desc can be NULL. If the function __cdns3_gadget_ep_queue() is called in this state, it attempts to dereference this NULL pointer, which causes the kernel to crash.

The fix involves adding a check to see if ep->desc is NULL and returning an error code (-ESHUTDOWN) if it is, preventing the kernel crash by avoiding the NULL pointer dereference.


How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel to crash when the affected USB gadget endpoint is accessed while disabled or unconfigured. Such a crash can lead to system instability, denial of service, or unexpected reboots, potentially disrupting normal operations.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update the Linux kernel to a version that includes the fix for the NULL pointer dereference in the cdns3 gadget endpoint. The fix adds a check to return -ESHUTDOWN if the endpoint descriptor is NULL, preventing kernel crashes.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart