Skip to main content

Linux Kernel EUVDEUVD-2026-26538

| CVE-2026-31725 MEDIUM
2026-05-01 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 07, 2026 - 19:15 vuln.today
CVSS changed
May 07, 2026 - 17:07 NVD
5.5 (MEDIUM)
Patch available
May 01, 2026 - 16:02 EUVD
Patch released
May 01, 2026 - 15:24 nvd
Patch available
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26538
CVE Published
May 01, 2026 - 14:14 nvd
MEDIUM 5.5
CVE Published
May 01, 2026 - 14:14 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: f_ecm: Fix net_device lifecycle with device_move

The net_device is allocated during function instance creation and registered during the bind phase with the gadget device as its sysfs parent. When the function unbinds, the parent device is destroyed, but the net_device survives, resulting in dangling sysfs symlinks:

console:/

ls -l /sys/class/net/usb0

lrwxrwxrwx ... /sys/class/net/usb0 -> /sys/devices/platform/.../gadget.0/net/usb0 console:/

ls -l /sys/devices/platform/.../gadget.0/net/usb0

ls: .../gadget.0/net/usb0: No such file or directory

Use device_move() to reparent the net_device between the gadget device tree and /sys/devices/virtual across bind and unbind cycles. During the final unbind, calling device_move(NULL) moves the net_device to the virtual device tree before the gadget device is destroyed. On rebinding, device_move() reparents the device back under the new gadget, ensuring proper sysfs topology and power management ordering.

To maintain compatibility with legacy composite drivers (e.g., multi.c), the bound flag is used to indicate whether the network device is shared and pre-registered during the legacy driver's bind phase.

AnalysisAI

Denial of service in the Linux kernel USB gadget ECM (Ethernet Control Model) driver allows local authenticated attackers to crash the system by exploiting improper net_device lifecycle management during bind and unbind cycles. When the gadget device unbinds, the network device survives with dangling sysfs symlinks, causing kernel issues when accessed or when the device tree is traversed. The vulnerability affects Linux kernel versions prior to patches released in 6.12.81, 6.18.22, 6.19.12, and 7.0.

Technical ContextAI

The Linux kernel's USB gadget subsystem provides a framework for implementing USB device functionality. The ECM (Ethernet Control Model) gadget function (f_ecm) implements USB-based Ethernet devices used in composite gadget configurations. The vulnerability exists in the net_device lifecycle management within f_ecm - specifically, the network device is registered to the gadget device as its sysfs parent during the bind phase but is not properly reparented when unbinding. This causes the device to remain in the sysfs hierarchy even after its parent gadget device is destroyed, creating orphaned symlinks. The fix employs device_move() to transition the net_device between the gadget device tree and the virtual device tree across bind/unbind cycles, maintaining proper sysfs topology and device hierarchy ordering. The issue affects the USB gadget framework used in embedded systems, Android devices, and kernel-based virtual machines that expose USB device functionality.

RemediationAI

Update the Linux kernel to version 6.12.81, 6.18.22, 6.19.12, or 7.0 or later depending on your stable series. The patch modifies the USB gadget ECM driver to use device_move() to properly reparent the net_device between the gadget device tree and /sys/devices/virtual during bind and unbind operations. For systems that cannot immediately update, disable USB gadget functionality if it is not required - the vulnerability only affects systems with the CONFIG_USB_GADGET and CONFIG_USB_F_ECM kernel options enabled and actively using gadget mode (not standard host-mode USB). If gadget functionality is required, isolate systems with untrusted local users, as exploitation requires local authenticated access. The patch is available from stable kernel releases and the referenced git commits; apply through your distribution's kernel update mechanism or compile directly from the stable kernel git repositories.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-26538 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy