CVE-2026-31721 - Vulnerability Details

- usb: gadget: f_hid: move list and spinlock inits from bind to alloc

Description

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: f_hid: move list and spinlock inits from bind to alloc

There was an issue when you did the following:
- setup and bind an hid gadget
- open /dev/hidg0
- use the resulting fd in EPOLL_CTL_ADD
- unbind the UDC
- bind the UDC
- use the fd in EPOLL_CTL_DEL

When CONFIG_DEBUG_LIST was enabled, a list_del corruption was reported
within remove_wait_queue (via ep_remove_wait_queue). After some
debugging I found out that the queues, which f_hid registers via
poll_wait were the problem. These were initialized using
init_waitqueue_head inside hidg_bind. So effectively, the bind function
re-initialized the queues while there were still items in them.

The solution is to move the initialization from hidg_bind to hidg_alloc
to extend their lifetimes to the lifetime of the function instance.

Additionally, I found many other possibly problematic init calls in the
bind function, which I moved as well.

Published: 2026-05-01

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel’s HID gadget driver contained an ordering problem in which wait‑queue heads and list structures were initialized during the bind phase while they still held queued items. When a user opened /dev/hidg0, registered the descriptor with EPOLL, caused the device controller to unbind and rebind, and then deleted the EPOLL entry, the driver re‑initialized these structures, corrupting kernel pointers. This kernel data‑structure corruption can trigger a list_del error and potentially allow a local user to execute code with elevated privileges.

Affected Systems

All Linux kernel releases that include the f_hid gadget driver and use the bind‑time initialization sequence are affected. The patch that moves initialization to the allocation stage is present in later kernel versions; therefore, any kernel before the commit that introduced this change is vulnerable. Exact version numbers are not provided in the CVE description.

Risk and Exploitability

The vulnerability is local; an attacker must have permission to open /dev/hidg0 on the affected system. No publicly available exploit code is known and the EPSS score is not reported, so the risk must be assessed manually. The flaw is a high‑severity kernel data‑corruption bug that could lead to privilege escalation. It is not listed in CISA’s KEV catalogue, and the remaining exploitation window depends on the attacker’s ability to drive the exact bind/unbind/epoll sequence.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`cb382536052fcc7713988869b54a81137069e5a9`	affected	< 13440c0db227c5db01da751ed966dde4cdd2ea18
`cb382536052fcc7713988869b54a81137069e5a9`	affected	< de93e0862169b5539e00c2b9980b93fd80c37c0d
`cb382536052fcc7713988869b54a81137069e5a9`	affected	< 81aee4500055876883658b024b6fb61801afe134
`cb382536052fcc7713988869b54a81137069e5a9`	affected	< 8ec6a58586f195a88479edcdb0b8027c39f12d03
`cb382536052fcc7713988869b54a81137069e5a9`	affected	< f7d00ee1c8082c8a134340aaf16d71a27e29c362
`cb382536052fcc7713988869b54a81137069e5a9`	affected	< 5d1bb391ceeebb28327703dd07af8c6324af298f
`cb382536052fcc7713988869b54a81137069e5a9`	affected	< 26a879a41ed960b3fb4ec773ef2788c515c0e488
`cb382536052fcc7713988869b54a81137069e5a9`	affected	< 4e0a88254ad59f6c53a34bf5fa241884ec09e8b2

Linux

affected

Version	Status	Constraints
`3.19`	affected	—
`0`	unaffected	< 3.19
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.169`	unaffected	≤ 6.1.*
`6.6.135`	unaffected	≤ 6.6.*
`6.12.81`	unaffected	≤ 6.12.*
`6.18.22`	unaffected	≤ 6.18.*
`6.19.12`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,13440c0db227c5db01da751ed966dde4cdd2ea18)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,de93e0862169b5539e00c2b9980b93fd80c37c0d)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,81aee4500055876883658b024b6fb61801afe134)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,8ec6a58586f195a88479edcdb0b8027c39f12d03)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,f7d00ee1c8082c8a134340aaf16d71a27e29c362)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,5d1bb391ceeebb28327703dd07af8c6324af298f)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,26a879a41ed960b3fb4ec773ef2788c515c0e488)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,4e0a88254ad59f6c53a34bf5fa241884ec09e8b2)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[5.10.253,5.11.0)`	unaffected	semver	—
`[5.15.203,5.16.0)`	unaffected	semver	—
`[6.1.169,6.2.0)`	unaffected	semver	—
`[6.6.135,6.7.0)`	unaffected	semver	—
`[6.12.81,6.13.0)`	unaffected	semver	—
`[6.18.22,6.19.0)`	unaffected	semver	—
`[6.19.12,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that contains the f_hid initialization fix
Restrict access to /dev/hidg0 using udev rules or permission settings so that only trusted users can open the device
Monitor kernel logs for list_del errors or other indication of data‑structure corruption; if such errors occur, consider disabling the HID gadget or adjusting EPOLL usage

Generated by OpenCVE AI on May 2, 2026 at 10:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4561-1	linux-6.1 security update
Debian DSA	DSA-6243-1	linux security update

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00024.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/13440c0db227c5db01da751ed966dde4cdd2ea18
https://git.kernel.org/stable/c/26a879a41ed960b3fb4ec773ef2788c515c0e488
https://git.kernel.org/stable/c/4e0a88254ad59f6c53a34bf5fa241884ec09e8b2
https://git.kernel.org/stable/c/5d1bb391ceeebb28327703dd07af8c6324af298f
https://git.kernel.org/stable/c/81aee4500055876883658b024b6fb61801afe134
https://git.kernel.org/stable/c/8ec6a58586f195a88479edcdb0b8027c39f12d03
https://git.kernel.org/stable/c/de93e0862169b5539e00c2b9980b93fd80c37c0d
https://git.kernel.org/stable/c/f7d00ee1c8082c8a134340aaf16d71a27e29c362
https://lore.kernel.org/linux-cve-announce/2026050133-CVE-2026-31721-3c17@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31721
https://www.cve.org/CVERecord?id=CVE-2026-31721

History

Sat, 02 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-821
References		https://lore.kernel.org/linux-cve-announce/2026050133-CVE-2026-31721-3c17@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31721 https://www.cve.org/CVERecord?id=CVE-2026-31721

Fri, 01 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_hid: move list and spinlock inits from bind to alloc There was an issue when you did the following: - setup and bind an hid gadget - open /dev/hidg0 - use the resulting fd in EPOLL_CTL_ADD - unbind the UDC - bind the UDC - use the fd in EPOLL_CTL_DEL When CONFIG_DEBUG_LIST was enabled, a list_del corruption was reported within remove_wait_queue (via ep_remove_wait_queue). After some debugging I found out that the queues, which f_hid registers via poll_wait were the problem. These were initialized using init_waitqueue_head inside hidg_bind. So effectively, the bind function re-initialized the queues while there were still items in them. The solution is to move the initialization from hidg_bind to hidg_alloc to extend their lifetimes to the lifetime of the function instance. Additionally, I found many other possibly problematic init calls in the bind function, which I moved as well.
Title		usb: gadget: f_hid: move list and spinlock inits from bind to alloc
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/13440c0db227c5db01da751ed966dde4cdd2ea18 https://git.kernel.org/stable/c/26a879a41ed960b3fb4ec773ef2788c515c0e488 https://git.kernel.org/stable/c/4e0a88254ad59f6c53a34bf5fa241884ec09e8b2 https://git.kernel.org/stable/c/5d1bb391ceeebb28327703dd07af8c6324af298f https://git.kernel.org/stable/c/81aee4500055876883658b024b6fb61801afe134 https://git.kernel.org/stable/c/8ec6a58586f195a88479edcdb0b8027c39f12d03 https://git.kernel.org/stable/c/de93e0862169b5539e00c2b9980b93fd80c37c0d https://git.kernel.org/stable/c/f7d00ee1c8082c8a134340aaf16d71a27e29c362

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-01T14:14:23.492Z

Updated: 2026-05-02T06:14:22.498Z

Reserved: 2026-03-09T15:48:24.134Z

Link: CVE-2026-31721

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-01T15:16:34.490

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-31721

Redhat

Severity :

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31721 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-02T10:45:40Z

Weaknesses

CWE-821

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object