Description
In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: u_ether: Fix NULL pointer deref in eth_get_drvinfo

Commit ec35c1969650 ("usb: gadget: f_ncm: Fix net_device lifecycle with
device_move") reparents the gadget device to /sys/devices/virtual during
unbind, clearing the gadget pointer. If the userspace tool queries on
the surviving interface during this detached window, this leads to a
NULL pointer dereference.

Unable to handle kernel NULL pointer dereference
Call trace:
eth_get_drvinfo+0x50/0x90
ethtool_get_drvinfo+0x5c/0x1f0
__dev_ethtool+0xaec/0x1fe0
dev_ethtool+0x134/0x2e0
dev_ioctl+0x338/0x560

Add a NULL check for dev->gadget in eth_get_drvinfo(). When detached,
skip copying the fw_version and bus_info strings, which is natively
handled by ethtool_get_drvinfo for empty strings.
Published: 2026-05-01
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A NULL pointer dereference in the eth_get_drvinfo function of the Linux kernel USB gadget u_ether driver can cause a kernel crash. When a userspace utility such as ethtool queries the driver during the device detach window, the function attempts to access the gadget pointer after it has been cleared, leading to a crash. The resulting kernel panic causes system downtime until a reboot. This flaw is a classic null pointer dereference (CWE‑476).

Affected Systems

All Linux kernel versions that contain the buggy u_ether gadget driver and have not been updated to include the fix commit ec35c1969650. The vulnerability affects the generic Linux kernel rather than specific vendor distributions, so any distribution shipping a kernel prior to the authority’s patch is potentially impacted.

Risk and Exploitability

The bug requires a userspace tool that invokes ethtool on a u_ether interface during detachment, which typically demands administrative privileges. No EPSS score is available, so the likelihood of exploitation is unknown, but the severity of a kernel panic makes it a high‑impact local fault. The vulnerability is not listed in the CISA KEV catalog, indicating that there is no publicly known exploit, but a malicious local actor could trigger it by unbinding a gadget interface while another process queries it. The CVSS score is 5.5, indicating moderate severity.

Generated by OpenCVE AI on May 2, 2026 at 07:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes commit ec35c1969650, which adds a NULL pointer check to eth_get_drvinfo.
  • Restrict or disable access to the ethtool utility for non‑privileged users when u_ether gadget devices may be unbound.
  • If an immediate kernel update is not possible, avoid querying u_ether interfaces with ethtool during the unbind operation or disable the u_ether gadget driver entirely if it is not needed for your workload.

Generated by OpenCVE AI on May 2, 2026 at 07:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Sat, 02 May 2026 00:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Fri, 01 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: usb: gadget: u_ether: Fix NULL pointer deref in eth_get_drvinfo Commit ec35c1969650 ("usb: gadget: f_ncm: Fix net_device lifecycle with device_move") reparents the gadget device to /sys/devices/virtual during unbind, clearing the gadget pointer. If the userspace tool queries on the surviving interface during this detached window, this leads to a NULL pointer dereference. Unable to handle kernel NULL pointer dereference Call trace: eth_get_drvinfo+0x50/0x90 ethtool_get_drvinfo+0x5c/0x1f0 __dev_ethtool+0xaec/0x1fe0 dev_ethtool+0x134/0x2e0 dev_ioctl+0x338/0x560 Add a NULL check for dev->gadget in eth_get_drvinfo(). When detached, skip copying the fw_version and bus_info strings, which is natively handled by ethtool_get_drvinfo for empty strings.
Title usb: gadget: u_ether: Fix NULL pointer deref in eth_get_drvinfo
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-01T14:14:27.552Z

Reserved: 2026-03-09T15:48:24.134Z

Link: CVE-2026-31727

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-01T15:16:35.210

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-31727

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31727 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T07:45:37Z

Weaknesses