Skip to main content

Linux Kernel CVE-2026-31754

| EUVDEUVD-2026-26567 MEDIUM
2026-05-01 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 08, 2026 - 21:00 vuln.today
CVSS changed
May 08, 2026 - 18:52 NVD
5.5 (MEDIUM)
Patch available
May 01, 2026 - 16:02 EUVD
Patch released
May 01, 2026 - 15:24 nvd
Patch available
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26567
CVE Published
May 01, 2026 - 14:14 nvd
MEDIUM 5.5
CVE Published
May 01, 2026 - 14:14 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

usb: cdns3: gadget: fix state inconsistency on gadget init failure

When cdns3_gadget_start() fails, the DRD hardware is left in gadget mode while software state remains INACTIVE, creating hardware/software state inconsistency.

When switching to host mode via sysfs: echo host > /sys/class/usb_role/13180000.usb-role-switch/role

The role state is not set to CDNS_ROLE_STATE_ACTIVE due to the error, so cdns_role_stop() skips cleanup because state is still INACTIVE. This violates the DRD controller design specification (Figure22), which requires returning to idle state before switching roles.

This leads to a synchronous external abort in xhci_gen_setup() when setting up the host controller:

[ 516.440698] configfs-gadget 13180000.usb: failed to start g1: -19 [ 516.442035] cdns-usb3 13180000.usb: Failed to add gadget [ 516.443278] cdns-usb3 13180000.usb: set role 2 has failed ... [ 1301.375722] xhci-hcd xhci-hcd.1.auto: xHCI Host Controller [ 1301.377716] Internal error: synchronous external abort: 96000010 [#1] PREEMPT SMP [ 1301.382485] pc : xhci_gen_setup+0xa4/0x408 [ 1301.393391] backtrace: ... xhci_gen_setup+0xa4/0x408 <-- CRASH xhci_plat_setup+0x44/0x58 usb_add_hcd+0x284/0x678 ... cdns_role_set+0x9c/0xbc <-- Role switch

Fix by calling cdns_drd_gadget_off() in the error path to properly clean up the DRD gadget state.

AnalysisAI

A denial of service condition in the Linux kernel's Cadence USB3 (cdns3) gadget driver occurs when gadget initialization fails, leaving the DRD hardware in gadget mode while software state remains inactive. Switching the device to USB host mode via sysfs triggers a synchronous external abort in the xHCI host controller setup, causing a kernel crash. Local authenticated users with access to the USB role-switch sysfs interface can trigger this condition, affecting Linux kernel versions 5.4 through current releases. A patch is available from the Linux kernel project.

Technical ContextAI

The Cadence USB3 dual-role (DRD) controller requires strict state synchronization between hardware and software modes to comply with the controller's design specification. The vulnerability exists in the cdns3_gadget_start() function within the USB gadget subsystem. When gadget initialization fails, the error path does not call cdns_drd_gadget_off() to properly clean up the DRD gadget state, leaving the hardware in gadget mode. Subsequently, when a user attempts to switch to host mode via the USB role-switch sysfs interface, the cdns_role_stop() function skips necessary cleanup because the software state is still marked INACTIVE. This violates the DRD controller design specification (Figure 22), which mandates returning to idle state before role transitions. The mismatch causes xhci_gen_setup() to access unmapped memory during host controller initialization, triggering a synchronous external abort (error code 96000010) in ARM systems.

RemediationAI

Update to a patched Linux kernel version: 5.15.203 or later for the 5.15 branch, 6.1.168 or later for 6.1, 6.6.134 or later for 6.6, 6.12.81 or later for 6.12, 6.18.22 or later for 6.18, 6.19.12 or later for 6.19, or 7.0 and later for mainline. The fix is available via stable kernel commits referenced in https://git.kernel.org/stable/c/fb7110a052467098967284ef14d306810b354937 and related commits. Most distributions will provide kernel updates through their standard security update channels within weeks of release. For systems that cannot patch immediately, restrict local user access to the USB role-switch sysfs interface via file permissions: chmod 600 /sys/class/usb_role/*/role to limit exposure to administrative users only. Alternatively, disable USB gadget mode entirely via kernel build options (CONFIG_USB_GADGET=n) if the system does not require gadget functionality, though this is suitable only for systems not requiring USB device-mode capabilities. Avoid triggering USB role switches via sysfs while using USB gadget mode until patched.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31754 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy