Description
In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: f_rndis: Fix net_device lifecycle with device_move

The net_device is allocated during function instance creation and
registered during the bind phase with the gadget device as its sysfs
parent. When the function unbinds, the parent device is destroyed, but
the net_device survives, resulting in dangling sysfs symlinks:

console:/ # ls -l /sys/class/net/usb0
lrwxrwxrwx ... /sys/class/net/usb0 ->
/sys/devices/platform/.../gadget.0/net/usb0
console:/ # ls -l /sys/devices/platform/.../gadget.0/net/usb0
ls: .../gadget.0/net/usb0: No such file or directory

Use device_move() to reparent the net_device between the gadget device
tree and /sys/devices/virtual across bind and unbind cycles. During the
final unbind, calling device_move(NULL) moves the net_device to the
virtual device tree before the gadget device is destroyed. On rebinding,
device_move() reparents the device back under the new gadget, ensuring
proper sysfs topology and power management ordering.

To maintain compatibility with legacy composite drivers (e.g., multi.c),
the borrowed_net flag is used to indicate whether the network device is
shared and pre-registered during the legacy driver's bind phase.
Published: 2026-05-01
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The bug in the Linux kernel USB gadget f_rndis driver causes the net_device, which remains registered after the gadget is unbound, to produce dangling sysfs symlinks in /sys/class/net. This leaves a broken sysfs topology and may affect system operations. No remote code execution is provided by this flaw.

Affected Systems

Systems running any Linux kernel that includes the f_rndis gadget driver and does not yet incorporate the device_move() reparenting changes are affected. The patch commits (18ada801, 1ef251aa, 6045ea5c, e3675995) are applied in later kernel releases; check the kernel version or the source history to confirm presence of the fix.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, the EPSS score of < 1% shows a very low likelihood of exploitation, and it is not listed in CISA KEV. Because the flaw involves a dangling sysfs link, an attacker with sufficient privileges could potentially cause operational disruptions, but there is no documented exploit. An attacker would need root or module‑load privileges to load or unload the gadget driver.

Generated by OpenCVE AI on May 6, 2026 at 23:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a release that includes the device_move() changes for f_rndis.
  • If the upstream kernel has not yet incorporated the fix, cherry‑pick the referenced commits into your local kernel tree and rebuild the kernel and modules.
  • Disable the f_rndis gadget driver (e.g., with modprobe.d blacklist) until the kernel is updated.

Generated by OpenCVE AI on May 6, 2026 at 23:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 21:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
References

Fri, 01 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_rndis: Fix net_device lifecycle with device_move The net_device is allocated during function instance creation and registered during the bind phase with the gadget device as its sysfs parent. When the function unbinds, the parent device is destroyed, but the net_device survives, resulting in dangling sysfs symlinks: console:/ # ls -l /sys/class/net/usb0 lrwxrwxrwx ... /sys/class/net/usb0 -> /sys/devices/platform/.../gadget.0/net/usb0 console:/ # ls -l /sys/devices/platform/.../gadget.0/net/usb0 ls: .../gadget.0/net/usb0: No such file or directory Use device_move() to reparent the net_device between the gadget device tree and /sys/devices/virtual across bind and unbind cycles. During the final unbind, calling device_move(NULL) moves the net_device to the virtual device tree before the gadget device is destroyed. On rebinding, device_move() reparents the device back under the new gadget, ensuring proper sysfs topology and power management ordering. To maintain compatibility with legacy composite drivers (e.g., multi.c), the borrowed_net flag is used to indicate whether the network device is shared and pre-registered during the legacy driver's bind phase.
Title usb: gadget: f_rndis: Fix net_device lifecycle with device_move
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:14:29.566Z

Reserved: 2026-03-09T15:48:24.134Z

Link: CVE-2026-31722

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-01T15:16:34.617

Modified: 2026-05-06T20:55:31.143

Link: CVE-2026-31722

cve-icon Redhat

Severity :

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31722 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T23:45:06Z

Weaknesses