CVE-2026-31721

MEDIUM EPSS 2.4%
Published May 1, 20261mo ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published May 1, 2026 1mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_hid: move list and spinlock inits from bind to alloc There was an issue when you did the following: - setup and bind an hid gadget - open /dev/hidg0 - use the resulting fd in EPOLL_CTL_ADD - unbind the UDC - bind the UDC - use the fd in EPOLL_CTL_DEL When CONFIG_DEBUG_LIST was enabled, a list_del corruption was reported within remove_wait_queue (via ep_remove_wait_queue). After some debugging I found out that the queues, which f_hid registers via poll_wait were the problem. These were initialized using init_waitqueue_head inside hidg_bind. So effectively, the bind function re-initialized the queues while there were still items in them. The solution is to move the initialization from hidg_bind to hidg_alloc to extend their lifetimes to the lifetime of the function instance. Additionally, I found many other possibly problematic init calls in the bind function, which I moved as well.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
2.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 13

VendorProductVersionRange
linuxlinux_kernel*≥3.19  –  <5.10.253
linuxlinux_kernel*≥5.11  –  <5.15.203
linuxlinux_kernel*≥5.16  –  <6.1.169
linuxlinux_kernel*≥6.2  –  <6.6.135
linuxlinux_kernel*≥6.7  –  <6.12.81
linuxlinux_kernel*≥6.13  –  <6.18.22
linuxlinux_kernel*≥6.19  –  <6.19.12
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any

References 8

  • git.kernel.org https://git.kernel.org/stable/c/13440c0db227c5db01da751ed966dde4cdd2ea18
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/26a879a41ed960b3fb4ec773ef2788c515c0e488
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4e0a88254ad59f6c53a34bf5fa241884ec09e8b2
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/5d1bb391ceeebb28327703dd07af8c6324af298f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/81aee4500055876883658b024b6fb61801afe134
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8ec6a58586f195a88479edcdb0b8027c39f12d03
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/de93e0862169b5539e00c2b9980b93fd80c37c0d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f7d00ee1c8082c8a134340aaf16d71a27e29c362
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/13440c0db227c5db01da751ed966dde4cdd2ea18
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/26a879a41ed960b3fb4ec773ef2788c515c0e488
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4e0a88254ad59f6c53a34bf5fa241884ec09e8b2
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/5d1bb391ceeebb28327703dd07af8c6324af298f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/81aee4500055876883658b024b6fb61801afe134
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8ec6a58586f195a88479edcdb0b8027c39f12d03
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/de93e0862169b5539e00c2b9980b93fd80c37c0d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f7d00ee1c8082c8a134340aaf16d71a27e29c362
    Patch