Skip to main content

Linux Kernel CVE-2026-31724

| EUVDEUVD-2026-26537 MEDIUM
2026-05-01 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 07, 2026 - 19:15 vuln.today
CVSS changed
May 07, 2026 - 17:07 NVD
5.5 (MEDIUM)
Patch available
May 01, 2026 - 16:02 EUVD
Patch released
May 01, 2026 - 15:24 nvd
Patch available
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26537
CVE Published
May 01, 2026 - 14:14 nvd
MEDIUM 5.5
CVE Published
May 01, 2026 - 14:14 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: f_eem: Fix net_device lifecycle with device_move

The net_device is allocated during function instance creation and registered during the bind phase with the gadget device as its sysfs parent. When the function unbinds, the parent device is destroyed, but the net_device survives, resulting in dangling sysfs symlinks:

console:/

ls -l /sys/class/net/usb0

lrwxrwxrwx ... /sys/class/net/usb0 -> /sys/devices/platform/.../gadget.0/net/usb0 console:/

ls -l /sys/devices/platform/.../gadget.0/net/usb0

ls: .../gadget.0/net/usb0: No such file or directory

Use device_move() to reparent the net_device between the gadget device tree and /sys/devices/virtual across bind and unbind cycles. During the final unbind, calling device_move(NULL) moves the net_device to the virtual device tree before the gadget device is destroyed. On rebinding, device_move() reparents the device back under the new gadget, ensuring proper sysfs topology and power management ordering.

To maintain compatibility with legacy composite drivers (e.g., multi.c), the bound flag is used to indicate whether the network device is shared and pre-registered during the legacy driver's bind phase.

AnalysisAI

Denial of service in Linux kernel USB gadget EEM function allows local privileged attackers to crash the system by triggering a dangling sysfs symlink condition during gadget device unbind cycles. The vulnerability arises from improper net_device lifecycle management when the parent gadget device is destroyed while the network device persists, resulting in kernel panic or system instability. CVSS 5.5 reflects local privilege requirement (PR:L) and high availability impact, with EPSS at 0.02% percentile indicating minimal real-world exploitation probability despite patch availability.

Technical ContextAI

The Linux kernel USB gadget subsystem manages Ethernet Emulation Module (EEM) functions that expose network interfaces (net_device) within sysfs hierarchy. When a gadget device binds, the EEM function registers its net_device under the gadget as sysfs parent. During unbind operations, the parent gadget device is destroyed but the net_device structure persists in memory, creating dangling sysfs symlinks pointing to non-existent device tree nodes. The fix employs device_move() API to reparent the net_device between the gadget device tree and /sys/devices/virtual across bind/unbind cycles, ensuring consistent sysfs topology and preventing reference-count corruption. The vulnerability affects systems using USB gadget mode (not typical on standard servers but common in embedded/mobile/specialized devices using Linux for USB peripheral emulation). CWE classification is not provided but relates to improper resource lifecycle management and reference counting issues in kernel driver code.

RemediationAI

Patch immediately to Linux kernel versions containing commit a6b8bce01a30a8c05c034bbc36c34845d65d644f or later (6.12.81, 6.18.22, 6.19.12 for stable branches, or latest mainline). The patch implements device_move() API calls to reparent net_device structures between gadget device tree and virtual sysfs tree during bind/unbind cycles, eliminating dangling symlinks. For systems unable to immediately upgrade, the primary workaround is to disable USB gadget EEM function support if not operationally required by setting CONFIG_USB_GADGET_EEM=n during kernel compilation or unloading the g_eem module if present. Disable gadget device unbind/rebind cycles if operationally acceptable (requires system redesign for persistent gadget configurations). No performance-neutral runtime workarounds exist without code changes. Verify patch application by confirming sysfs symlink validity after gadget rebind cycles: ls -l /sys/class/net/[interface] should resolve correctly and not point to missing device tree nodes. References: kernel.org stable commits and vuldb.com/vuln/360656.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31724 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy