CVE-2026-31726 - Vulnerability Details

- usb: gadget: uvc: fix NULL pointer dereference during unbind race

Description

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: uvc: fix NULL pointer dereference during unbind race

Commit b81ac4395bbe ("usb: gadget: uvc: allow for application to cleanly
shutdown") introduced two stages of synchronization waits totaling 1500ms
in uvc_function_unbind() to prevent several types of kernel panics.
However, this timing-based approach is insufficient during power
management (PM) transitions.

When the PM subsystem starts freezing user space processes, the
wait_event_interruptible_timeout() is aborted early, which allows the
unbind thread to proceed and nullify the gadget pointer
(cdev->gadget = NULL):

[ 814.123447][ T947] configfs-gadget.g1 gadget.0: uvc: uvc_function_unbind()
[ 814.178583][ T3173] PM: suspend entry (deep)
[ 814.192487][ T3173] Freezing user space processes
[ 814.197668][ T947] configfs-gadget.g1 gadget.0: uvc: uvc_function_unbind no clean disconnect, wait for release

When the PM subsystem resumes or aborts the suspend and tasks are
restarted, the V4L2 release path is executed and attempts to access the
already nullified gadget pointer, triggering a kernel panic:

[ 814.292597][ C0] PM: pm_system_irq_wakeup: 479 triggered dhdpcie_host_wake
[ 814.386727][ T3173] Restarting tasks ...
[ 814.403522][ T4558] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000030
[ 814.404021][ T4558] pc : usb_gadget_deactivate+0x14/0xf4
[ 814.404031][ T4558] lr : usb_function_deactivate+0x54/0x94
[ 814.404078][ T4558] Call trace:
[ 814.404080][ T4558] usb_gadget_deactivate+0x14/0xf4
[ 814.404083][ T4558] usb_function_deactivate+0x54/0x94
[ 814.404087][ T4558] uvc_function_disconnect+0x1c/0x5c
[ 814.404092][ T4558] uvc_v4l2_release+0x44/0xac
[ 814.404095][ T4558] v4l2_release+0xcc/0x130

Address the race condition and NULL pointer dereference by:

1. State Synchronization (flag + mutex)
Introduce a 'func_unbound' flag in struct uvc_device. This allows
uvc_function_disconnect() to safely skip accessing the nullified
cdev->gadget pointer. As suggested by Alan Stern, this flag is protected
by a new mutex (uvc->lock) to ensure proper memory ordering and prevent
instruction reordering or speculative loads. This mutex is also used to
protect 'func_connected' for consistent state management.

2. Explicit Synchronization (completion)
Use a completion to synchronize uvc_function_unbind() with the
uvc_vdev_release() callback. This prevents Use-After-Free (UAF) by
ensuring struct uvc_device is freed after all video device resources
are released.

Published: 2026-05-01

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises from a race condition in the USB gadget UVC driver that can cause a NULL pointer dereference during power‑management suspend/resume cycles. When the PM subsystem freezes or resumes, the unbind thread nullifies the gadget pointer while the V4L2 release path still attempts to access it, triggering a kernel panic. The attack compromises system availability by causing a total reboot or need for operator intervention.

Affected Systems

All Linux kernel installations that include the USB gadget UVC subsystem are affected, regardless of kernel version until the patch that introduces the func_unbound flag and mutex is applied. There is no product version isolation beyond the Linux kernel itself.

Risk and Exploitability

The problem is highly disruptive, as the kernel crash can be invoked simply by forcing a suspend/resume transition on a device that uses the UVC gadget. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog, but the inherent nature of a kernel panic indicates a high risk of denial of service. The CVSS score is not provided in the data, but the impact is equivalent to a critical severity. Attackers would need to trigger a PM transition while the gadget is bound; this is feasible on a compromised or privileged host. The fix restores proper synchronization and safe shutdown of the device, preventing the null dereference.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1444e0568bc2c70868e7b8da5b46fc2252acc3f5`	affected	< 0c00ec409d7b2bce3fcac73188b79a141db7cfda
`4962e5a2f301d24953f17d6748d986e21566abe1`	affected	< d92d1532e05b1b31d36d48765e43bf73d793d19f
`b81ac4395bbeaf36e078dea1a48c02dd97b76235`	affected	< 0587de744615628c38e33ddc1601160a5ea8c50a
`b81ac4395bbeaf36e078dea1a48c02dd97b76235`	affected	< c78e463ee134b4669579d453c81ae00795e4c19a
`b81ac4395bbeaf36e078dea1a48c02dd97b76235`	affected	< 8a1128d604c360eca135f15b882b70256a522145
`b81ac4395bbeaf36e078dea1a48c02dd97b76235`	affected	< 1aa9356881ee4ed414bf72d0c56d915492cb5345
`b81ac4395bbeaf36e078dea1a48c02dd97b76235`	affected	< c038ba56b92e410d1caec22b2dc68780a0b42091
`b81ac4395bbeaf36e078dea1a48c02dd97b76235`	affected	< eba2936bbe6b752a31725a9eb5c674ecbf21ee7d
`e10735ce87502b07e171727e574afdd6c0890a08`	affected	—

Linux

affected

Version	Status	Constraints
`5.18`	affected	—
`0`	unaffected	< 5.18
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.168`	unaffected	≤ 6.1.*
`6.6.134`	unaffected	≤ 6.6.*
`6.12.81`	unaffected	≤ 6.12.*
`6.18.22`	unaffected	≤ 6.18.*
`6.19.12`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1444e0568bc2c70868e7b8da5b46fc2252acc3f5,0c00ec409d7b2bce3fcac73188b79a141db7cfda)`	affected	code_commit	—
`[4962e5a2f301d24953f17d6748d986e21566abe1,d92d1532e05b1b31d36d48765e43bf73d793d19f)`	affected	code_commit	—
`[b81ac4395bbeaf36e078dea1a48c02dd97b76235,0587de744615628c38e33ddc1601160a5ea8c50a)`	affected	code_commit	—
`[b81ac4395bbeaf36e078dea1a48c02dd97b76235,c78e463ee134b4669579d453c81ae00795e4c19a)`	affected	code_commit	—
`[b81ac4395bbeaf36e078dea1a48c02dd97b76235,8a1128d604c360eca135f15b882b70256a522145)`	affected	code_commit	—
`[b81ac4395bbeaf36e78dea1a48c02dd97b76235,1aa9356881ee4ed414bf72d0c56d915492cb5345)`	affected	code_commit	—
`[b81ac4395bbeaf36e78dea1a48c02dd97b76235,c038ba56b92e410d1caec22b2dc68780a0b42091)`	affected	code_commit	—
`[b81ac4395bbeaf36e78dea1a48c02dd97b76235,eba2936bbe6b752a31725a9eb5c674ecbf21ee7d)`	affected	code_commit	—
`e10735ce87502b07e171727e574afdd6c0890a08`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.18`	affected	generic	—
`[0,5.18)`	unaffected	semver	—
`[5.10.253,5.11.0)`	unaffected	semver	—
`[5.15.203,5.16.0)`	unaffected	semver	—
`[6.1.168,6.2.0)`	unaffected	semver	—
`[6.6.134,6.7.0)`	unaffected	semver	—
`[6.12.81,6.13.0)`	unaffected	semver	—
`[6.18.22,6.19.0)`	unaffected	semver	—
`[6.19.12,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the kernel patch that incorporates commit b81ac4395bbe, which adds synchronization and a guard flag to prevent the NULL pointer dereference.
Reboot the system with the patched kernel to activate the new crash‑prevention logic.
As a temporary measure, disable or postpone power‑management transitions for devices using the UVC gadget (e.g., adjust /sys/module/usb_gadget/parameters/no_autosuspend) until the patch can be applied.

Generated by OpenCVE AI on May 2, 2026 at 12:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4561-1	linux-6.1 security update
Debian DSA	DSA-6243-1	linux security update

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00024.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0587de744615628c38e33ddc1601160a5ea8c50a
https://git.kernel.org/stable/c/0c00ec409d7b2bce3fcac73188b79a141db7cfda
https://git.kernel.org/stable/c/1aa9356881ee4ed414bf72d0c56d915492cb5345
https://git.kernel.org/stable/c/8a1128d604c360eca135f15b882b70256a522145
https://git.kernel.org/stable/c/c038ba56b92e410d1caec22b2dc68780a0b42091
https://git.kernel.org/stable/c/c78e463ee134b4669579d453c81ae00795e4c19a
https://git.kernel.org/stable/c/d92d1532e05b1b31d36d48765e43bf73d793d19f
https://git.kernel.org/stable/c/eba2936bbe6b752a31725a9eb5c674ecbf21ee7d
https://lore.kernel.org/linux-cve-announce/2026050135-CVE-2026-31726-0cb8@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31726
https://www.cve.org/CVERecord?id=CVE-2026-31726

History

Sat, 02 May 2026 11:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-476

Sat, 02 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-367
References		https://lore.kernel.org/linux-cve-announce/2026050135-CVE-2026-31726-0cb8@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31726 https://www.cve.org/CVERecord?id=CVE-2026-31726

Sat, 02 May 2026 00:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476

Fri, 01 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: usb: gadget: uvc: fix NULL pointer dereference during unbind race Commit b81ac4395bbe ("usb: gadget: uvc: allow for application to cleanly shutdown") introduced two stages of synchronization waits totaling 1500ms in uvc_function_unbind() to prevent several types of kernel panics. However, this timing-based approach is insufficient during power management (PM) transitions. When the PM subsystem starts freezing user space processes, the wait_event_interruptible_timeout() is aborted early, which allows the unbind thread to proceed and nullify the gadget pointer (cdev->gadget = NULL): [ 814.123447][ T947] configfs-gadget.g1 gadget.0: uvc: uvc_function_unbind() [ 814.178583][ T3173] PM: suspend entry (deep) [ 814.192487][ T3173] Freezing user space processes [ 814.197668][ T947] configfs-gadget.g1 gadget.0: uvc: uvc_function_unbind no clean disconnect, wait for release When the PM subsystem resumes or aborts the suspend and tasks are restarted, the V4L2 release path is executed and attempts to access the already nullified gadget pointer, triggering a kernel panic: [ 814.292597][ C0] PM: pm_system_irq_wakeup: 479 triggered dhdpcie_host_wake [ 814.386727][ T3173] Restarting tasks ... [ 814.403522][ T4558] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000030 [ 814.404021][ T4558] pc : usb_gadget_deactivate+0x14/0xf4 [ 814.404031][ T4558] lr : usb_function_deactivate+0x54/0x94 [ 814.404078][ T4558] Call trace: [ 814.404080][ T4558] usb_gadget_deactivate+0x14/0xf4 [ 814.404083][ T4558] usb_function_deactivate+0x54/0x94 [ 814.404087][ T4558] uvc_function_disconnect+0x1c/0x5c [ 814.404092][ T4558] uvc_v4l2_release+0x44/0xac [ 814.404095][ T4558] v4l2_release+0xcc/0x130 Address the race condition and NULL pointer dereference by: 1. State Synchronization (flag + mutex) Introduce a 'func_unbound' flag in struct uvc_device. This allows uvc_function_disconnect() to safely skip accessing the nullified cdev->gadget pointer. As suggested by Alan Stern, this flag is protected by a new mutex (uvc->lock) to ensure proper memory ordering and prevent instruction reordering or speculative loads. This mutex is also used to protect 'func_connected' for consistent state management. 2. Explicit Synchronization (completion) Use a completion to synchronize uvc_function_unbind() with the uvc_vdev_release() callback. This prevents Use-After-Free (UAF) by ensuring struct uvc_device is freed after all video device resources are released.
Title		usb: gadget: uvc: fix NULL pointer dereference during unbind race
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0587de744615628c38e33ddc1601160a5ea8c50a https://git.kernel.org/stable/c/0c00ec409d7b2bce3fcac73188b79a141db7cfda https://git.kernel.org/stable/c/1aa9356881ee4ed414bf72d0c56d915492cb5345 https://git.kernel.org/stable/c/8a1128d604c360eca135f15b882b70256a522145 https://git.kernel.org/stable/c/c038ba56b92e410d1caec22b2dc68780a0b42091 https://git.kernel.org/stable/c/c78e463ee134b4669579d453c81ae00795e4c19a https://git.kernel.org/stable/c/d92d1532e05b1b31d36d48765e43bf73d793d19f https://git.kernel.org/stable/c/eba2936bbe6b752a31725a9eb5c674ecbf21ee7d

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-01T14:14:26.882Z

Updated: 2026-05-01T14:14:26.882Z

Reserved: 2026-03-09T15:48:24.134Z

Link: CVE-2026-31726

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-01T15:16:35.063

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-31726

Redhat

Severity :

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31726 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-02T12:30:27Z

Weaknesses

CWE-367

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object