Description
In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: f_eem: Fix net_device lifecycle with device_move

The net_device is allocated during function instance creation and
registered during the bind phase with the gadget device as its sysfs
parent. When the function unbinds, the parent device is destroyed, but
the net_device survives, resulting in dangling sysfs symlinks:

console:/ # ls -l /sys/class/net/usb0
lrwxrwxrwx ... /sys/class/net/usb0 ->
/sys/devices/platform/.../gadget.0/net/usb0
console:/ # ls -l /sys/devices/platform/.../gadget.0/net/usb0
ls: .../gadget.0/net/usb0: No such file or directory

Use device_move() to reparent the net_device between the gadget device
tree and /sys/devices/virtual across bind and unbind cycles. During the
final unbind, calling device_move(NULL) moves the net_device to the
virtual device tree before the gadget device is destroyed. On rebinding,
device_move() reparents the device back under the new gadget, ensuring
proper sysfs topology and power management ordering.

To maintain compatibility with legacy composite drivers (e.g., multi.c),
the bound flag is used to indicate whether the network device is shared
and pre-registered during the legacy driver's bind phase.
Published: 2026-05-01
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The kernel’s USB gadget EEM driver previously allowed a network device to outlive its parent gadget during unbind operations, resulting in dangling symlinks under /sys/class/net. This bug exemplifies CWE‑459 (Improper Cleanup) and does not provide direct code execution or data exfiltration, but it can create orphaned system objects that may confuse interface enumeration tools and lead to subtle stability or resource management issues. Based on the description, it is inferred that exploitation requires privileged local actions such as invoking bind/unbind sequences, as these operations typically demand root or device ownership rights.

Affected Systems

Any Linux kernel build that lacks the device_move fix, including distributions and custom kernels around the timeframe of the referenced git commits, is affected. The vulnerability is tied to the kernel itself, so any system running an unpatched kernel is potentially impacted.

Risk and Exploitability

No CVSS or EPSS data are available; the vulnerability is not listed in CISA's KEV catalog. The defect appears to require privileged local actions, inferred from the need to perform bind/unbind operations that normally require root or device ownership rights. No direct execution or data exfiltration capabilities are identified, and the effect is the creation of stale or orphaned sysfs entries, which may lead to resource management issues or confusion for network enumeration tools.

Generated by OpenCVE AI on May 2, 2026 at 12:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a version that includes the device_move patch, as shown in the provided git references.
  • Recompile any custom kernel builds ensuring the patch commits are applied and incorporated into the final image.
  • After applying the patch, reboot the system so the new kernel is active and verify that /sys/class/net no longer contains stale symlinks for usb interfaces.

Generated by OpenCVE AI on May 2, 2026 at 12:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-459
References

Fri, 01 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_eem: Fix net_device lifecycle with device_move The net_device is allocated during function instance creation and registered during the bind phase with the gadget device as its sysfs parent. When the function unbinds, the parent device is destroyed, but the net_device survives, resulting in dangling sysfs symlinks: console:/ # ls -l /sys/class/net/usb0 lrwxrwxrwx ... /sys/class/net/usb0 -> /sys/devices/platform/.../gadget.0/net/usb0 console:/ # ls -l /sys/devices/platform/.../gadget.0/net/usb0 ls: .../gadget.0/net/usb0: No such file or directory Use device_move() to reparent the net_device between the gadget device tree and /sys/devices/virtual across bind and unbind cycles. During the final unbind, calling device_move(NULL) moves the net_device to the virtual device tree before the gadget device is destroyed. On rebinding, device_move() reparents the device back under the new gadget, ensuring proper sysfs topology and power management ordering. To maintain compatibility with legacy composite drivers (e.g., multi.c), the bound flag is used to indicate whether the network device is shared and pre-registered during the legacy driver's bind phase.
Title usb: gadget: f_eem: Fix net_device lifecycle with device_move
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-01T14:14:25.544Z

Reserved: 2026-03-09T15:48:24.134Z

Link: CVE-2026-31724

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-01T15:16:34.833

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-31724

cve-icon Redhat

Severity :

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31724 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T12:15:25Z

Weaknesses