Skip to main content

Linux Kernel CVE-2026-31728

| EUVDEUVD-2026-26541 MEDIUM
Race Condition (CWE-362)
2026-05-01 Linux
4.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 07, 2026 - 18:45 vuln.today
CVSS changed
May 07, 2026 - 16:22 NVD
4.7 (MEDIUM)
Patch available
May 01, 2026 - 16:02 EUVD
Patch released
May 01, 2026 - 15:24 nvd
Patch available
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26541
CVE Published
May 01, 2026 - 14:14 nvd
MEDIUM 4.7
CVE Published
May 01, 2026 - 14:14 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: u_ether: Fix race between gether_disconnect and eth_stop

A race condition between gether_disconnect() and eth_stop() leads to a NULL pointer dereference. Specifically, if eth_stop() is triggered concurrently while gether_disconnect() is tearing down the endpoints, eth_stop() attempts to access the cleared endpoint descriptor, causing the following NPE:

Unable to handle kernel NULL pointer dereference Call trace: __dwc3_gadget_ep_enable+0x60/0x788 dwc3_gadget_ep_enable+0x70/0xe4 usb_ep_enable+0x60/0x15c eth_stop+0xb8/0x108

Because eth_stop() crashes while holding the dev->lock, the thread running gether_disconnect() fails to acquire the same lock and spins forever, resulting in a hardlockup:

Core - Debugging Information for Hardlockup core(7) Call trace: queued_spin_lock_slowpath+0x94/0x488 _raw_spin_lock+0x64/0x6c gether_disconnect+0x19c/0x1e8 ncm_set_alt+0x68/0x1a0 composite_setup+0x6a0/0xc50

The root cause is that the clearing of dev->port_usb in gether_disconnect() is delayed until the end of the function.

Move the clearing of dev->port_usb to the very beginning of gether_disconnect() while holding dev->lock. This cuts off the link immediately, ensuring eth_stop() will see dev->port_usb as NULL and safely bail out.

AnalysisAI

A race condition in the USB gadget ethernet driver (usb: gadget: u_ether) between gether_disconnect() and eth_stop() causes a NULL pointer dereference and system hardlockup on local systems with low privilege users. When eth_stop() is triggered concurrently during gether_disconnect(), it attempts to access a cleared endpoint descriptor, crashing while holding a spinlock that gether_disconnect() also needs, resulting in kernel panic and denial of service. CVSS 4.7 with low EPSS score (0.02%, percentile 7%) indicates limited real-world exploitation likelihood despite confirmed availability of vendor patches across multiple stable kernel branches.

Technical ContextAI

The vulnerability exists in the USB gadget ethernet function (u_ether.c) which implements Ethernet-over-USB protocol for Linux kernel gadget mode devices. The root cause is a classic race condition (CWE-362) in the synchronization logic between two functions: gether_disconnect() which tears down USB endpoints and eth_stop() which stops ethernet operations. Both functions access a shared data structure (dev->port_usb endpoint descriptor) protected by dev->lock spinlock. The issue arises because dev->port_usb is cleared at the end of gether_disconnect() rather than immediately, creating a window where eth_stop() can be invoked and see partially torn-down state. This leads to a NULL pointer dereference in __dwc3_gadget_ep_enable() when eth_stop() attempts to re-enable endpoints that have already been cleared by gether_disconnect(). The fix involves moving the dev->port_usb clear operation to the beginning of gether_disconnect() while holding the lock, ensuring atomic visibility across both code paths.

RemediationAI

Linux kernel vendors have released patched versions across all affected stable branches: update to 5.10.253, 5.15.203, 6.1.169, 6.6.134, 6.12.81, 6.18.22, 6.19.12, or 7.0+ depending on your kernel series. The fix involves moving the dev->port_usb = NULL assignment to the beginning of gether_disconnect() while holding dev->lock spinlock, ensuring the endpoint is immediately marked unavailable before any concurrent eth_stop() can access it. Specific git commit fixes are available at https://git.kernel.org/stable/c/f02980594deef751e42133714aee25228f1494c6 and related commits listed in references. For systems unable to immediately patch, disable USB gadget mode Ethernet functionality if not required, or restrict local user access to USB gadget control interfaces. Note that this is a local privilege vulnerability (PR:L) so restricting non-root user access to USB device functions (via apparmor, selinux, or user namespace restrictions) provides compensating control with no functionality loss for systems not using gadget mode. Full disable of gadget mode is most reliable mitigation if feature is unused.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31728 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy