Skip to main content

Linux Kernel EUVDEUVD-2026-26568

| CVE-2026-31755 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-01 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 08, 2026 - 21:00 vuln.today
CVSS changed
May 08, 2026 - 18:52 NVD
5.5 (MEDIUM)
Patch available
May 01, 2026 - 16:02 EUVD
Patch released
May 01, 2026 - 15:24 nvd
Patch available
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26568
CVE Published
May 01, 2026 - 14:14 nvd
MEDIUM 5.5
CVE Published
May 01, 2026 - 14:14 nvd
N/A

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

usb: cdns3: gadget: fix NULL pointer dereference in ep_queue

When the gadget endpoint is disabled or not yet configured, the ep->desc pointer can be NULL. This leads to a NULL pointer dereference when __cdns3_gadget_ep_queue() is called, causing a kernel crash.

Add a check to return -ESHUTDOWN if ep->desc is NULL, which is the standard return code for unconfigured endpoints.

This prevents potential crashes when ep_queue is called on endpoints that are not ready.

AnalysisAI

Denial of service via NULL pointer dereference in the Linux kernel USB Cadence 3 (cdns3) gadget driver when ep_queue is called on disabled or unconfigured endpoints. A local authenticated attacker can trigger a kernel crash by invoking the vulnerable code path on systems with cdns3 USB gadget support enabled. No public exploit code has been identified, but the attack requires only local access and low privileges (CVSS 5.5, EPSS 0.02%).

Technical ContextAI

The vulnerability exists in the USB Cadence 3 (cdns3) gadget driver subsystem (drivers/usb/cdns3/gadget.c), specifically in the __cdns3_gadget_ep_queue() function. The cdns3 driver manages USB device-mode operations for controllers implementing the Cadence USB 3.0 gadget specification. The root cause is a missing NULL pointer check on the ep->desc field, which represents the endpoint descriptor. When an endpoint is disabled or not yet configured during gadget initialization, ep->desc remains NULL. If the ep_queue operation (which queues USB requests to an endpoint) is invoked before endpoint configuration, the function dereferences ep->desc without validation, triggering a NULL pointer dereference (CWE-476). This is particularly relevant in embedded systems and devices using Cadence USB controllers that expose gadget mode functionality.

RemediationAI

Apply the vendor-released patch from the Linux stable kernel repository. Users should upgrade to patched versions: Linux 5.4 (commit d61446dfc9d387775bb1b95b081953201b9222af or later), Linux 6.1.168 or later, Linux 6.6.134 or later, Linux 6.12.81 or later, Linux 6.18.22 or later, Linux 6.19.12 or later, or Linux 7.0 or later. Patch links are available at https://git.kernel.org/stable/c/3d1433fe34b224b90259e207e5389e95b504ef04 and related commits. For systems that cannot immediately patch, disable USB Cadence 3 gadget support by setting CONFIG_USB_CDNS3_GADGET=n during kernel compilation or disabling the module if built as a loadable module (rmmod usb_cdns3_gadget), though this removes USB gadget functionality entirely. Restrict local access to unprivileged users to limit exploitation surface, as authenticated local access is required to trigger the vulnerability.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-26568 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy