CVE-2026-31754

MEDIUM EPSS 2.4%
Published May 1, 20262mo ago · Modified Jun 17, 20262w ago
5.5 CVSS 3.1
Medium
Find Similar
Published May 1, 2026 2mo ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: gadget: fix state inconsistency on gadget init failure When cdns3_gadget_start() fails, the DRD hardware is left in gadget mode while software state remains INACTIVE, creating hardware/software state inconsistency. When switching to host mode via sysfs: echo host > /sys/class/usb_role/13180000.usb-role-switch/role The role state is not set to CDNS_ROLE_STATE_ACTIVE due to the error, so cdns_role_stop() skips cleanup because state is still INACTIVE. This violates the DRD controller design specification (Figure22), which requires returning to idle state before switching roles. This leads to a synchronous external abort in xhci_gen_setup() when setting up the host controller: [ 516.440698] configfs-gadget 13180000.usb: failed to start g1: -19 [ 516.442035] cdns-usb3 13180000.usb: Failed to add gadget [ 516.443278] cdns-usb3 13180000.usb: set role 2 has failed ... [ 1301.375722] xhci-hcd xhci-hcd.1.auto: xHCI Host Controller [ 1301.377716] Internal error: synchronous external abort: 96000010 [#1] PREEMPT SMP [ 1301.382485] pc : xhci_gen_setup+0xa4/0x408 [ 1301.393391] backtrace: ... xhci_gen_setup+0xa4/0x408 <-- CRASH xhci_plat_setup+0x44/0x58 usb_add_hcd+0x284/0x678 ... cdns_role_set+0x9c/0xbc <-- Role switch Fix by calling cdns_drd_gadget_off() in the error path to properly clean up the DRD gadget state.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
2.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 12

VendorProductVersionRange
linuxlinux_kernel*≥5.4  –  <5.15.203
linuxlinux_kernel*≥5.16  –  <6.1.168
linuxlinux_kernel*≥6.2  –  <6.6.134
linuxlinux_kernel*≥6.7  –  <6.12.81
linuxlinux_kernel*≥6.13  –  <6.18.22
linuxlinux_kernel*≥6.19  –  <6.19.12
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any

References 7

  • git.kernel.org https://git.kernel.org/stable/c/5a85599ca4d2584d89dc69f4fc49303b75a42338
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9b1d301fbae837bf6979a19030b81d869bb15f7a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b490f0e477d26d29ed51e5dc47e3b9bd31bcb49f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c32f8748d70c8fc77676ad92ed76cede17bf2c48
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c7e475ae3a5593c5db21b3b7dca4ba8bdac9b47f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/cfca84f5986afceb63a3adf39d4a98e915aebbc2
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/fb7110a052467098967284ef14d306810b354937
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/5a85599ca4d2584d89dc69f4fc49303b75a42338
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9b1d301fbae837bf6979a19030b81d869bb15f7a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b490f0e477d26d29ed51e5dc47e3b9bd31bcb49f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c32f8748d70c8fc77676ad92ed76cede17bf2c48
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c7e475ae3a5593c5db21b3b7dca4ba8bdac9b47f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/cfca84f5986afceb63a3adf39d4a98e915aebbc2
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/fb7110a052467098967284ef14d306810b354937
    Patch