CVE-2026-31606 - Vulnerability Details

- usb: gadget: f_hid: don't call cdev_init while cdev in use

Description

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: f_hid: don't call cdev_init while cdev in use

When calling unbind, then bind again, cdev_init reinitialized the cdev,
even though there may still be references to it. That's the case when
the /dev/hidg* device is still opened. This obviously unsafe behavior
like oopes.

This fixes this by using cdev_alloc to put the cdev on the heap. That
way, we can simply allocate a new one in hidg_bind.

Published: 2026-04-24

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A bug in the Linux kernel’s USB gadget HID driver causes the character device (cdev) to be reinitialized while it is still in use. The buggy code invokes cdev_init again on an existing cdev that may still have open references, leading to memory corruption and an 'oops' kernel crash. This vulnerability can result in denial-of-service by crashing the system. The weakness is a classic Resource Management error (CWE-413).

Affected Systems

All Linux kernel builds that include the f_hid gadget driver without the patch. The affected code is part of the usb: gadget subsystem; specific kernel versions are not enumerated in the provided data, so any kernel that has shipped the unpatched f_hid module may be vulnerable.

Risk and Exploitability

The EPSS score of less than 1% indicates a very low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The CVSS score of 5.5 reflects medium severity. Exploitation would likely require local access to a system that hosts a USB gadget using the f_hid driver and would exploit the reinitialization bug to corrupt kernel memory, potentially crashing the system. The attack vector is local, based on manipulating the bind/unbind sequence of the HID gadget device.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`cb382536052fcc7713988869b54a81137069e5a9`	affected	< c6c0d13db5d0f8d465eabc14bd23d2b6a7247a43
`cb382536052fcc7713988869b54a81137069e5a9`	affected	< eb6ef6185f2054a341ec70d7e2165f5381744215
`cb382536052fcc7713988869b54a81137069e5a9`	affected	< 5a229016ca3ac551294ec59770be9da94ec4bf63
`cb382536052fcc7713988869b54a81137069e5a9`	affected	< 75ecc46828ec377dd5692c677168ef6d64fd7123
`cb382536052fcc7713988869b54a81137069e5a9`	affected	< 81ebd43cc0d6d106ce7b6ccbf7b5e40ca7f5503d

Linux

affected

Version	Status	Constraints
`3.19`	affected	—
`0`	unaffected	< 3.19
`6.12.83`	unaffected	≤ 6.12.*
`6.18.24`	unaffected	≤ 6.18.*
`6.19.14`	unaffected	≤ 6.19.*
`7.0.1`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[cb382536052fcc7713988869b54a81137069e5a9,c6c0d13db5d0f8d465eabc14bd23d2b6a7247a43)`	affected	code_commit	—
`[cb382536052fcc7713988869b54a81137069e5a9,eb6ef6185f2054a341ec70d7e2165f5381744215)`	affected	code_commit	—
`[cb382536052fcc7713988869b54a81137069e5a9,5a229016ca3ac551294ec59770be9da94ec4bf63)`	affected	code_commit	—
`[cb382536052fcc7713988869b54a81137069e5a9,75ecc46828ec377dd5692c677168ef6d64fd7123)`	affected	code_commit	—
`[cb382536052fcc7713988869b54a81137069e5a9,81ebd43cc0d6d106ce7b6ccbf7b5e40ca7f5503d)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`3.19`	affected	semver	—
`[0,3.19)`	unaffected	semver	—
`[6.12.83,6.13.0)`	unaffected	semver	—
`[6.18.24,6.19.0)`	unaffected	semver	—
`[6.19.14,6.20.0)`	unaffected	semver	—
`[7.0.1,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Check the installed kernel version and compare it against known patched releases that move from cdev_init to cdev_alloc in hidg_bind.
If an affected kernel is in use, apply the patch that allocates the cdev on the heap, preventing reuse of an active device.
Verify that the USB gadget HID driver is disabled or updated on systems that do not require HID functionality to reduce exposure.

Generated by OpenCVE AI on April 30, 2026 at 04:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6238-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/5a229016ca3ac551294ec59770be9da94ec4bf63
https://git.kernel.org/stable/c/75ecc46828ec377dd5692c677168ef6d64fd7123
https://git.kernel.org/stable/c/81ebd43cc0d6d106ce7b6ccbf7b5e40ca7f5503d
https://git.kernel.org/stable/c/c6c0d13db5d0f8d465eabc14bd23d2b6a7247a43
https://git.kernel.org/stable/c/eb6ef6185f2054a341ec70d7e2165f5381744215
https://lore.kernel.org/linux-cve-announce/2026042420-CVE-2026-31606-baa6@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31606
https://www.cve.org/CVERecord?id=CVE-2026-31606

History

Wed, 29 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Mon, 27 Apr 2026 11:30:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/81ebd43cc0d6d106ce7b6ccbf7b5e40ca7f5503d

Sat, 25 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-413
References		https://lore.kernel.org/linux-cve-announce/2026042420-CVE-2026-31606-baa6@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31606 https://www.cve.org/CVERecord?id=CVE-2026-31606

Fri, 24 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_hid: don't call cdev_init while cdev in use When calling unbind, then bind again, cdev_init reinitialized the cdev, even though there may still be references to it. That's the case when the /dev/hidg* device is still opened. This obviously unsafe behavior like oopes. This fixes this by using cdev_alloc to put the cdev on the heap. That way, we can simply allocate a new one in hidg_bind.
Title		usb: gadget: f_hid: don't call cdev_init while cdev in use
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/5a229016ca3ac551294ec59770be9da94ec4bf63 https://git.kernel.org/stable/c/75ecc46828ec377dd5692c677168ef6d64fd7123 https://git.kernel.org/stable/c/c6c0d13db5d0f8d465eabc14bd23d2b6a7247a43 https://git.kernel.org/stable/c/eb6ef6185f2054a341ec70d7e2165f5381744215

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-24T14:42:28.792Z

Updated: 2026-05-11T22:12:03.516Z

Reserved: 2026-03-09T15:48:24.122Z

Link: CVE-2026-31606

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-04-24T15:16:39.830

Modified: 2026-04-29T20:00:34.693

Link: CVE-2026-31606

Redhat

Severity :

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31606 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-30T04:15:26Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object