Description
In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: f_subset: Fix net_device lifecycle with device_move

The net_device is allocated during function instance creation and
registered during the bind phase with the gadget device as its sysfs
parent. When the function unbinds, the parent device is destroyed, but
the net_device survives, resulting in dangling sysfs symlinks:

console:/ # ls -l /sys/class/net/usb0
lrwxrwxrwx ... /sys/class/net/usb0 ->
/sys/devices/platform/.../gadget.0/net/usb0
console:/ # ls -l /sys/devices/platform/.../gadget.0/net/usb0
ls: .../gadget.0/net/usb0: No such file or directory

Use device_move() to reparent the net_device between the gadget device
tree and /sys/devices/virtual across bind and unbind cycles. During the
final unbind, calling device_move(NULL) moves the net_device to the
virtual device tree before the gadget device is destroyed. On rebinding,
device_move() reparents the device back under the new gadget, ensuring
proper sysfs topology and power management ordering.

To maintain compatibility with legacy composite drivers (e.g., multi.c),
the bound flag is used to indicate whether the network device is shared
and pre-registered during the legacy driver's bind phase.
Published: 2026-05-01
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The kernel bug causes a USB gadget network device to outlive the gadget device that owns it. When the gadget unbinds, the net_device object remains registered in sysfs under a path that no longer exists, producing a dangling symlink. This leaves an orphaned kernel object that is never deallocated during the normal cycle, leaving the system with an inconsistent device tree.

Affected Systems

All Linux kernel builds that include the f_subset gadget driver before the commit that introduces device_move. No specific version ranges are provided, but any kernel that contains the buggy gadget module is impacted.

Risk and Exploitability

EPSS data is not available and the vulnerability is not listed in CISA KEV. The likely attack vector is local: a user or process that can trigger the USB gadget bind/unbind cycle may interact with the orphaned net_device. Based on the description, it is inferred that exploitation could lead to resource leaks or a denial of service if the dangling object is accessed or freed again, though no public exploits exist and the overall risk remains unclear.

Generated by OpenCVE AI on May 2, 2026 at 11:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that implements device_move in the f_subset module, effectively fixing the net_device lifecycle issue.
  • Disable or unload any USB gadget drivers that are not required on the system to reduce the risk of accidental bind/unbind cycles creating dangling objects.
  • Reboot the system after disabling the drivers or applying the patch to ensure that any existing dangling net_device references are cleared.

Generated by OpenCVE AI on May 2, 2026 at 11:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-763
References

Fri, 01 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_subset: Fix net_device lifecycle with device_move The net_device is allocated during function instance creation and registered during the bind phase with the gadget device as its sysfs parent. When the function unbinds, the parent device is destroyed, but the net_device survives, resulting in dangling sysfs symlinks: console:/ # ls -l /sys/class/net/usb0 lrwxrwxrwx ... /sys/class/net/usb0 -> /sys/devices/platform/.../gadget.0/net/usb0 console:/ # ls -l /sys/devices/platform/.../gadget.0/net/usb0 ls: .../gadget.0/net/usb0: No such file or directory Use device_move() to reparent the net_device between the gadget device tree and /sys/devices/virtual across bind and unbind cycles. During the final unbind, calling device_move(NULL) moves the net_device to the virtual device tree before the gadget device is destroyed. On rebinding, device_move() reparents the device back under the new gadget, ensuring proper sysfs topology and power management ordering. To maintain compatibility with legacy composite drivers (e.g., multi.c), the bound flag is used to indicate whether the network device is shared and pre-registered during the legacy driver's bind phase.
Title usb: gadget: f_subset: Fix net_device lifecycle with device_move
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-01T14:14:24.876Z

Reserved: 2026-03-09T15:48:24.134Z

Link: CVE-2026-31723

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-01T15:16:34.727

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-31723

cve-icon Redhat

Severity :

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31723 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T12:00:14Z

Weaknesses