Description
In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: f_ecm: Fix net_device lifecycle with device_move

The net_device is allocated during function instance creation and
registered during the bind phase with the gadget device as its sysfs
parent. When the function unbinds, the parent device is destroyed, but
the net_device survives, resulting in dangling sysfs symlinks:

console:/ # ls -l /sys/class/net/usb0
lrwxrwxrwx ... /sys/class/net/usb0 ->
/sys/devices/platform/.../gadget.0/net/usb0
console:/ # ls -l /sys/devices/platform/.../gadget.0/net/usb0
ls: .../gadget.0/net/usb0: No such file or directory

Use device_move() to reparent the net_device between the gadget device
tree and /sys/devices/virtual across bind and unbind cycles. During the
final unbind, calling device_move(NULL) moves the net_device to the
virtual device tree before the gadget device is destroyed. On rebinding,
device_move() reparents the device back under the new gadget, ensuring
proper sysfs topology and power management ordering.

To maintain compatibility with legacy composite drivers (e.g., multi.c),
the bound flag is used to indicate whether the network device is shared
and pre-registered during the legacy driver's bind phase.
Published: 2026-05-01
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The f_ecm USB gadget driver allocates a network device during its initialization and registers it under the gadget’s sysfs hierarchy. When the gadget is unbound, the parent device is destroyed while the net_device remains allocated, leading to a dangling symlink that points to a non‑existent object. This improper cleanup can confuse the kernel’s power management and sysfs subsystems, potentially resulting in device‑tree inconsistencies or kernel panics if the stale reference is accessed. Based on the description, it is inferred that the primary outcome is resource leakage and instability rather than a direct data confidentiality breach.

Affected Systems

All Linux kernel builds that incorporate the unpatched f_ecm driver are affected; the issue resides in the generic Linux kernel code referenced by the CPE and is not limited to any particular distribution or kernel version.

Risk and Exploitability

The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that an attacker must have privileged or administrative access to load, unload, or otherwise manipulate the USB gadget driver to trigger the unbind–bind lifecycle. The lack of an exposed remote vector suggests the threat is confined to the host where the vulnerable driver is active. The overall risk can be considered moderate, dependent on the environment’s USB gadget configuration and the privilege level of potential attackers.

Generated by OpenCVE AI on May 2, 2026 at 12:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a release that includes the device_move fix for the f_ecm driver
  • If a kernel update is not yet available, disable or rebuild the kernel without the f_ecm configuration or module to remove the vulnerable code
  • After disabling or patching, reboot the system or reload all kernel modules to ensure all legacy net_device references are cleared

Generated by OpenCVE AI on May 2, 2026 at 12:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-911
References

Fri, 01 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ecm: Fix net_device lifecycle with device_move The net_device is allocated during function instance creation and registered during the bind phase with the gadget device as its sysfs parent. When the function unbinds, the parent device is destroyed, but the net_device survives, resulting in dangling sysfs symlinks: console:/ # ls -l /sys/class/net/usb0 lrwxrwxrwx ... /sys/class/net/usb0 -> /sys/devices/platform/.../gadget.0/net/usb0 console:/ # ls -l /sys/devices/platform/.../gadget.0/net/usb0 ls: .../gadget.0/net/usb0: No such file or directory Use device_move() to reparent the net_device between the gadget device tree and /sys/devices/virtual across bind and unbind cycles. During the final unbind, calling device_move(NULL) moves the net_device to the virtual device tree before the gadget device is destroyed. On rebinding, device_move() reparents the device back under the new gadget, ensuring proper sysfs topology and power management ordering. To maintain compatibility with legacy composite drivers (e.g., multi.c), the bound flag is used to indicate whether the network device is shared and pre-registered during the legacy driver's bind phase.
Title usb: gadget: f_ecm: Fix net_device lifecycle with device_move
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-01T14:14:26.200Z

Reserved: 2026-03-09T15:48:24.134Z

Link: CVE-2026-31725

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-01T15:16:34.947

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-31725

cve-icon Redhat

Severity :

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31725 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T12:15:25Z

Weaknesses