CVE-2026-31755
Awaiting Analysis Awaiting Analysis - Queue
NULL pointer dereference in Linux kernel USB gadget driver

Publication date: 2026-05-01

Last updated on: 2026-05-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: gadget: fix NULL pointer dereference in ep_queue When the gadget endpoint is disabled or not yet configured, the ep->desc pointer can be NULL. This leads to a NULL pointer dereference when __cdns3_gadget_ep_queue() is called, causing a kernel crash. Add a check to return -ESHUTDOWN if ep->desc is NULL, which is the standard return code for unconfigured endpoints. This prevents potential crashes when ep_queue is called on endpoints that are not ready.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-08
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31755
EUVD
EUVD-2026-26568
Affected Vendors & Products
Showing 12 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.22 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.168 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.12 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.81 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.134 (exc)
linux linux_kernel From 5.4 (inc) to 5.15.203 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's USB gadget driver for cdns3. Specifically, when a gadget endpoint is disabled or not yet configured, a pointer called ep->desc can be NULL. If the function __cdns3_gadget_ep_queue() is called in this state, it attempts to dereference this NULL pointer, which causes the kernel to crash.

The fix involves adding a check to see if ep->desc is NULL and returning an error code (-ESHUTDOWN) if it is, preventing the kernel crash by avoiding the NULL pointer dereference.

Impact Analysis

This vulnerability can cause the Linux kernel to crash when the affected USB gadget endpoint is accessed while disabled or unconfigured. Such a crash can lead to system instability, denial of service, or unexpected reboots, potentially disrupting normal operations.

Mitigation Strategies

To mitigate this vulnerability, update the Linux kernel to a version that includes the fix for the NULL pointer dereference in the cdns3 gadget endpoint. The fix adds a check to return -ESHUTDOWN if the endpoint descriptor is NULL, preventing kernel crashes.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31755. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart