Skip to main content

Linux Kernel CVE-2026-31723

| EUVDEUVD-2026-26536 MEDIUM
2026-05-01 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 07, 2026 - 19:15 vuln.today
CVSS changed
May 07, 2026 - 17:07 NVD
5.5 (MEDIUM)
Patch available
May 01, 2026 - 16:02 EUVD
Patch released
May 01, 2026 - 15:24 nvd
Patch available
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26536
CVE Published
May 01, 2026 - 14:14 nvd
MEDIUM 5.5
CVE Published
May 01, 2026 - 14:14 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: f_subset: Fix net_device lifecycle with device_move

The net_device is allocated during function instance creation and registered during the bind phase with the gadget device as its sysfs parent. When the function unbinds, the parent device is destroyed, but the net_device survives, resulting in dangling sysfs symlinks:

console:/

ls -l /sys/class/net/usb0

lrwxrwxrwx ... /sys/class/net/usb0 -> /sys/devices/platform/.../gadget.0/net/usb0 console:/

ls -l /sys/devices/platform/.../gadget.0/net/usb0

ls: .../gadget.0/net/usb0: No such file or directory

Use device_move() to reparent the net_device between the gadget device tree and /sys/devices/virtual across bind and unbind cycles. During the final unbind, calling device_move(NULL) moves the net_device to the virtual device tree before the gadget device is destroyed. On rebinding, device_move() reparents the device back under the new gadget, ensuring proper sysfs topology and power management ordering.

To maintain compatibility with legacy composite drivers (e.g., multi.c), the bound flag is used to indicate whether the network device is shared and pre-registered during the legacy driver's bind phase.

AnalysisAI

USB gadget subsystem net_device lifecycle mismanagement in Linux kernel allows local privileged users to cause denial of service through sysfs corruption. The f_subset gadget function creates dangling sysfs symlinks when unbinding due to improper device reparenting, resulting in inaccessible network device references and potential system instability. A local user with sufficient privileges can trigger unbind/rebind cycles to exhaust resources or corrupt the sysfs filesystem state.

Technical ContextAI

The vulnerability affects the Linux kernel's USB gadget subsystem, specifically the f_subset network gadget function (cpe:2.3:a:linux:linux). The root cause involves improper lifecycle management of net_device objects allocated during gadget function initialization. When a USB gadget unbinds, the parent gadget device is destroyed while the associated net_device survives, creating orphaned sysfs symlinks that point to non-existent device tree entries under /sys/devices/platform/.../gadget.0/net/. The fix applies device_move() to reparent the net_device between the gadget device tree and /sys/devices/virtual during bind and unbind cycles, ensuring proper sysfs topology and preventing orphaned references. This involves kernel device management and USB subsystem initialization paths.

RemediationAI

Apply vendor-released patches from stable kernel branches: Linux 6.19.12 or later, Linux 6.12.81 or later, Linux 7.0 or later, or Linux 6.18.22 or later. The upstream fix is available via git.kernel.org stable commits 70707ce668494c4d35fe070dfbc7cc541b293107, 9cbc4f109bb216623894d8819fb930210ed34b21, fde29916e4cc736c4ca6c78f331e12b2c73ccafd, and 06524cd1c9011bee141a87e43ab878641ed3652b. For systems unable to immediately upgrade, disable USB gadget functionality if not required by setting USB_GADGET=n in kernel configuration, though this may impact embedded systems or development workflows. Alternatively, restrict access to gadget configuration interfaces in /sys/kernel/config/usb_gadget to trusted administrators only, limiting the ability to trigger bind/unbind cycles.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31723 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy