Skip to main content

Linux Kernel CVE-2026-31615

| EUVDEUVD-2026-25508 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-04-24 Linux GHSA-gggw-8cq2-45cp
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Patch released
Apr 28, 2026 - 17:29 nvd
Patch available
Analysis Generated
Apr 28, 2026 - 17:22 vuln.today
CVSS changed
Apr 28, 2026 - 17:22 NVD
5.5 (MEDIUM)
Patch available
Apr 24, 2026 - 16:16 EUVD
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25508
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:42 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: renesas_usb3: validate endpoint index in standard request handlers

The GET_STATUS and SET/CLEAR_FEATURE handlers extract the endpoint number from the host-supplied wIndex without any sort of validation. Fix this up by validating the number of endpoints actually match up with the number the device has before attempting to dereference a pointer based on this math.

This is just like what was done in commit ee0d382feb44 ("usb: gadget: aspeed_udc: validate endpoint index for ast udc") for the aspeed driver.

AnalysisAI

Null pointer dereference in the Renesas USB3 gadget driver allows local authenticated attackers to trigger a denial of service by sending crafted USB standard requests with invalid endpoint indices that bypass validation in GET_STATUS and SET/CLEAR_FEATURE handlers. The vulnerability affects multiple stable kernel versions and requires local access with user-level privileges, resulting in potential system crash or service disruption.

Technical ContextAI

The vulnerability exists in the Renesas USB3 controller gadget driver (usb: gadget: renesas_usb3), which implements USB device functionality. The GET_STATUS, SET_FEATURE, and CLEAR_FEATURE standard request handlers extract the endpoint number directly from the host-supplied wIndex field in USB control requests without validating that the endpoint index is within the bounds of endpoints actually supported by the device. This allows an attacker to construct a pointer dereference using an out-of-bounds endpoint index, leading to null pointer dereference (CWE-476). The fix involves validating the endpoint index before dereferencing, mirroring similar fixes applied to the ASPEED UDC driver in commit ee0d382feb44.

RemediationAI

Apply the kernel security patch available from the Linux kernel stable repositories. For most users, this involves upgrading to Linux 6.12.83, 6.18.24, 6.19.14, or 7.0.1 depending on the currently deployed stable branch. Patches are available at the git.kernel.org stable tree commits provided: adb8014599fdf0818d3d93f1f74e06cd0bdec08d, 44216e3dd4455b798899b50eedb0ec3831dff8e0, 37f430b2240655e6b0199a92aa1057e4d621be51, and e3d42598f2995cdc07b7779874e7c5f8a1b773db for different branches. Distribution kernel maintainers (Ubuntu, Fedora, Debian, etc.) will backport these fixes to their respective kernel packages; users should apply updates through their standard package management system when available. As a compensating control prior to patching, restrict local user access to USB gadget device interfaces via filesystem permissions or SELinux/AppArmor policies to prevent untrusted users from accessing the vulnerable USB standard request handlers, though this may limit legitimate gadget mode functionality depending on deployment context.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31615 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy