CVE-2026-31756
Awaiting Analysis Awaiting Analysis - Queue
Race Condition in Linux Kernel USB DWC2 Gadget Driver

Publication date: 2026-05-01

Last updated on: 2026-05-01

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: usb: dwc2: gadget: Fix spin_lock/unlock mismatch in dwc2_hsotg_udc_stop() dwc2_gadget_exit_clock_gating() internally calls call_gadget() macro, which expects hsotg->lock to be held since it does spin_unlock/spin_lock around the gadget driver callback invocation. However, dwc2_hsotg_udc_stop() calls dwc2_gadget_exit_clock_gating() without holding the lock. This leads to: - spin_unlock on a lock that is not held (undefined behavior) - The lock remaining held after dwc2_gadget_exit_clock_gating() returns, causing a deadlock when spin_lock_irqsave() is called later in the same function. Fix this by acquiring hsotg->lock before calling dwc2_gadget_exit_clock_gating() and releasing it afterwards, which satisfies the locking requirement of the call_gadget() macro.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-01
Generated
2026-05-07
AI Q&A
2026-05-01
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31756
EUVD
EUVD-2026-26569
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's USB dwc2 gadget driver. Specifically, the function dwc2_hsotg_udc_stop() calls dwc2_gadget_exit_clock_gating() without holding the required lock (hsotg->lock). The dwc2_gadget_exit_clock_gating() function internally calls a macro that expects this lock to be held because it performs spin_unlock and spin_lock operations around a gadget driver callback.

Because the lock is not held when dwc2_gadget_exit_clock_gating() is called, it causes undefined behavior by attempting to spin_unlock a lock that is not held. Additionally, the lock remains held after the function returns, which leads to a deadlock when the same lock is later requested again in the same function.

The fix involves acquiring the lock before calling dwc2_gadget_exit_clock_gating() and releasing it afterwards, ensuring proper lock handling and preventing deadlocks.


How can this vulnerability impact me? :

This vulnerability can cause undefined behavior and deadlocks in the Linux kernel's USB gadget driver. Specifically, it may lead to system instability or crashes when the affected function is executed, as the improper locking can cause the kernel to hang or become unresponsive.

Such deadlocks can affect the availability and reliability of USB device functionality on affected systems, potentially disrupting normal operations that depend on USB communication.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is caused by a spin_lock/unlock mismatch in the Linux kernel's dwc2 USB gadget driver. To mitigate this vulnerability, you should update your Linux kernel to a version where this issue is fixed.

Specifically, ensure that the kernel includes the fix that acquires the hsotg->lock before calling dwc2_gadget_exit_clock_gating() and releases it afterwards, which prevents deadlocks and undefined behavior.

If updating the kernel is not immediately possible, consider avoiding use of the affected USB gadget functionality until a patched kernel is applied.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart