Skip to main content

Linux Kernel EUVDEUVD-2026-26540

| CVE-2026-31727 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-01 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 07, 2026 - 18:45 vuln.today
CVSS changed
May 07, 2026 - 16:22 NVD
5.5 (MEDIUM)
Patch available
May 01, 2026 - 16:02 EUVD
Patch released
May 01, 2026 - 15:24 nvd
Patch available
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26540
CVE Published
May 01, 2026 - 14:14 nvd
MEDIUM 5.5
CVE Published
May 01, 2026 - 14:14 nvd
N/A

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: u_ether: Fix NULL pointer deref in eth_get_drvinfo

Commit ec35c1969650 ("usb: gadget: f_ncm: Fix net_device lifecycle with device_move") reparents the gadget device to /sys/devices/virtual during unbind, clearing the gadget pointer. If the userspace tool queries on the surviving interface during this detached window, this leads to a NULL pointer dereference.

Unable to handle kernel NULL pointer dereference Call trace: eth_get_drvinfo+0x50/0x90 ethtool_get_drvinfo+0x5c/0x1f0 __dev_ethtool+0xaec/0x1fe0 dev_ethtool+0x134/0x2e0 dev_ioctl+0x338/0x560

Add a NULL check for dev->gadget in eth_get_drvinfo(). When detached, skip copying the fw_version and bus_info strings, which is natively handled by ethtool_get_drvinfo for empty strings.

AnalysisAI

NULL pointer dereference in the USB Ethernet gadget driver (u_ether) allows local attackers with low privileges to cause a denial of service by querying device information via ethtool during device unbind. The vulnerability occurs when userspace tools call eth_get_drvinfo() on a gadget interface after the kernel has cleared the gadget pointer during device reparenting, triggering a crash without authentication or user interaction. EPSS exploitation probability is minimal (0.02%), and this is a localized denial of service with no impact on confidentiality or integrity.

Technical ContextAI

The vulnerability exists in the Linux kernel's USB gadget subsystem, specifically in the u_ether driver's eth_get_drvinfo() function. The underlying issue stems from commit ec35c1969650 ('usb: gadget: f_ncm: Fix net_device lifecycle with device_move'), which reparents the gadget device to /sys/devices/virtual during unbind, clearing the gadget pointer stored in the net_device structure. When userspace tools (such as ethtool) query driver information via the SIOCETHTOOL ioctl during the brief window between unbind initiation and interface cleanup, eth_get_drvinfo() attempts to dereference a NULL gadget pointer (CWE-476: NULL Pointer Dereference). The affected code path flows through dev_ioctl() → dev_ethtool() → ethtool_get_drvinfo() → eth_get_drvinfo(). The gadget device structure is critical to the USB Ethernet implementation, but the safe handling of its lifecycle during hot-unplug events was incomplete before this fix.

RemediationAI

Vendor-released patch is available. Update to Linux kernel 6.12.81 or later for the 6.12 branch, 6.19.12 or later for the 6.19 branch, or 6.18.22 or later for the 6.18 branch. For distribution kernels, apply the backported fix from the vendor's stable tree using the commit references provided (0326429e8ba99892e1d1e115dc8e88e1a3b64e24 for the core fix). The patch adds a NULL check in eth_get_drvinfo() to safely handle cases where the gadget pointer has been cleared during device unbind, skipping the copying of firmware version and bus info strings which are natively handled as empty by ethtool_get_drvinfo(). As a temporary workaround for systems that cannot be patched immediately, disable ethtool queries on gadget interfaces during device hot-unplug events by restricting user permissions on /sys/class/net/{ethX}/statistics access or by unloading the USB gadget driver before maintenance, though this introduces functional limitations. No compensating controls fully mitigate the race condition without the patch.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-26540 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy