CVE-2026-31728 - Vulnerability Details

- usb: gadget: u_ether: Fix race between gether_disconnect and eth_stop

Description

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: u_ether: Fix race between gether_disconnect and eth_stop

A race condition between gether_disconnect() and eth_stop() leads to a
NULL pointer dereference. Specifically, if eth_stop() is triggered
concurrently while gether_disconnect() is tearing down the endpoints,
eth_stop() attempts to access the cleared endpoint descriptor, causing
the following NPE:

Unable to handle kernel NULL pointer dereference
Call trace:
__dwc3_gadget_ep_enable+0x60/0x788
dwc3_gadget_ep_enable+0x70/0xe4
usb_ep_enable+0x60/0x15c
eth_stop+0xb8/0x108

Because eth_stop() crashes while holding the dev->lock, the thread
running gether_disconnect() fails to acquire the same lock and spins
forever, resulting in a hardlockup:

Core - Debugging Information for Hardlockup core(7)
Call trace:
queued_spin_lock_slowpath+0x94/0x488
_raw_spin_lock+0x64/0x6c
gether_disconnect+0x19c/0x1e8
ncm_set_alt+0x68/0x1a0
composite_setup+0x6a0/0xc50

The root cause is that the clearing of dev->port_usb in
gether_disconnect() is delayed until the end of the function.

Move the clearing of dev->port_usb to the very beginning of
gether_disconnect() while holding dev->lock. This cuts off the link
immediately, ensuring eth_stop() will see dev->port_usb as NULL and
safely bail out.

Published: 2026-05-01

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A race condition (CWE‑367) between the gether_disconnect() and eth_stop() functions in the Linux kernel’s USB gadget u_ether driver can trigger a NULL pointer dereference. When eth_stop() runs concurrently while gether_disconnect() clears an endpoint descriptor, the driver fails to detect that the endpoint has been removed and attempts to dereference the cleared descriptor. This causes a kernel crash, and because eth_stop() holds the dev->lock during the dereference, the thread executing gether_disconnect() cannot acquire the same lock and spins forever, resulting in a hardlockup. The system becomes unresponsive until a reboot restores normal operation.

Affected Systems

The vulnerability affects all Linux kernel releases that include the unmodified u_ether USB gadget driver, specifically the core Linux kernel. The affected vendor is Linux and the product is the Linux kernel across all supported distributions that ship the kernel with this driver before the commit that moves the clearing of dev->port_usb to the start of gether_disconnect()

Risk and Exploitability

The CVSS score of 5.5 denotes moderate severity. With no EPSS score available and the issue not present in the CISA KEV catalog, the specific exploitation probability remains uncertain. However, the required conditions—a local user able to activate the u_ether driver and attach a USB Ethernet gadget—are plausible in many environments. Because the flaw leads to a hardlockup that requires a reboot, the primary impact is denial of service.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`2b3d942c4878084a37991a65e66512c02b8fa2ad`	affected	< f02980594deef751e42133714aee25228f1494c6
`2b3d942c4878084a37991a65e66512c02b8fa2ad`	affected	< e1e7a66584bf0aff3becb73c19fa31527889fc9e
`2b3d942c4878084a37991a65e66512c02b8fa2ad`	affected	< a259ba0bce3b192c04334499690372a250f7d0b1
`2b3d942c4878084a37991a65e66512c02b8fa2ad`	affected	< f6813c2b2ae78def76b69e0f9d72f80e4a1c4aca
`2b3d942c4878084a37991a65e66512c02b8fa2ad`	affected	< bbb09bb89ffa571475f66daca9482b974cd29d6a
`2b3d942c4878084a37991a65e66512c02b8fa2ad`	affected	< 6ad77458637b78ec655e3da5f112c862e6690a9d
`2b3d942c4878084a37991a65e66512c02b8fa2ad`	affected	< 8ff689edfeceb5e3ec1623e09af2b2aa0f1098a8
`2b3d942c4878084a37991a65e66512c02b8fa2ad`	affected	< e1eabb072c75681f78312c484ccfffb7430f206e

Linux

affected

Version	Status	Constraints
`2.6.27`	affected	—
`0`	unaffected	< 2.6.27
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.169`	unaffected	≤ 6.1.*
`6.6.134`	unaffected	≤ 6.6.*
`6.12.81`	unaffected	≤ 6.12.*
`6.18.22`	unaffected	≤ 6.18.*
`6.19.12`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[2b3d942c4878084a37991a65e66512c02b8fa2ad,f02980594deef751e42133714aee25228f1494c6)`	affected	code_commit	—
`[2b3d942c4878084a37991a65e66512c02b8fa2ad,e1e7a66584bf0aff3becb73c19fa31527889fc9e)`	affected	code_commit	—
`[2b3d942c4878084a37991a65e66512c02b8fa2ad,a259ba0bce3b192c04334499690372a250f7d0b1)`	affected	code_commit	—
`[2b3d942c4878084a37991a65e66512c02b8fa2ad,f6813c2b2ae78def76b69e0f9d72f80e4a1c4aca)`	affected	code_commit	—
`[2b3d942c4878084a37991a65e66512c02b8fa2ad,bbb09bb89ffa571475f66daca9482b974cd29d6a)`	affected	code_commit	—
`[2b3d942c4878084a37991a65e66512c02b8fa2ad,6ad77458637b78ec655e3da5f112c862e6690a9d)`	affected	code_commit	—
`[2b3d942c4878084a37991a65e66512c02b8fa2ad,8ff689edfeceb5e3ec1623e09af2b2aa0f1098a8)`	affected	code_commit	—
`[2b3d942c4878084a37991a65e66512c02b8fa2ad,e1eabb072c75681f78312c484ccfffb7430f206e)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`2.6.27`	affected	semver	—
`[0,2.6.27)`	unaffected	semver	—
`[5.10.253,5.11.0)`	unaffected	semver	—
`[5.15.203,5.16.0)`	unaffected	semver	—
`[6.1.169,6.2.0)`	unaffected	semver	—
`[6.6.134,6.7.0)`	unaffected	semver	—
`[6.12.81,6.13.0)`	unaffected	semver	—
`[6.18.22,6.19.0)`	unaffected	semver	—
`[6.19.12,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that incorporates the commit fixing the race condition; the patch is referenced in the provided commit logs.
If an update is not immediately available, disable the u_ether USB gadget driver until a patched kernel is installed (e.g., modprobe -r u_ether or add it to a blacklist).
Monitor system logs (dmesg, /var/log/kern.log) for signs of hardlockups and adjust device usage accordingly.

Generated by OpenCVE AI on May 2, 2026 at 11:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4561-1	linux-6.1 security update
Debian DSA	DSA-6243-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00024.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/6ad77458637b78ec655e3da5f112c862e6690a9d
https://git.kernel.org/stable/c/8ff689edfeceb5e3ec1623e09af2b2aa0f1098a8
https://git.kernel.org/stable/c/a259ba0bce3b192c04334499690372a250f7d0b1
https://git.kernel.org/stable/c/bbb09bb89ffa571475f66daca9482b974cd29d6a
https://git.kernel.org/stable/c/e1e7a66584bf0aff3becb73c19fa31527889fc9e
https://git.kernel.org/stable/c/e1eabb072c75681f78312c484ccfffb7430f206e
https://git.kernel.org/stable/c/f02980594deef751e42133714aee25228f1494c6
https://git.kernel.org/stable/c/f6813c2b2ae78def76b69e0f9d72f80e4a1c4aca
https://lore.kernel.org/linux-cve-announce/2026050136-CVE-2026-31728-47b6@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31728
https://www.cve.org/CVERecord?id=CVE-2026-31728

History

Sat, 02 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-367
References		https://lore.kernel.org/linux-cve-announce/2026050136-CVE-2026-31728-47b6@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31728 https://www.cve.org/CVERecord?id=CVE-2026-31728
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Fri, 01 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: usb: gadget: u_ether: Fix race between gether_disconnect and eth_stop A race condition between gether_disconnect() and eth_stop() leads to a NULL pointer dereference. Specifically, if eth_stop() is triggered concurrently while gether_disconnect() is tearing down the endpoints, eth_stop() attempts to access the cleared endpoint descriptor, causing the following NPE: Unable to handle kernel NULL pointer dereference Call trace: __dwc3_gadget_ep_enable+0x60/0x788 dwc3_gadget_ep_enable+0x70/0xe4 usb_ep_enable+0x60/0x15c eth_stop+0xb8/0x108 Because eth_stop() crashes while holding the dev->lock, the thread running gether_disconnect() fails to acquire the same lock and spins forever, resulting in a hardlockup: Core - Debugging Information for Hardlockup core(7) Call trace: queued_spin_lock_slowpath+0x94/0x488 _raw_spin_lock+0x64/0x6c gether_disconnect+0x19c/0x1e8 ncm_set_alt+0x68/0x1a0 composite_setup+0x6a0/0xc50 The root cause is that the clearing of dev->port_usb in gether_disconnect() is delayed until the end of the function. Move the clearing of dev->port_usb to the very beginning of gether_disconnect() while holding dev->lock. This cuts off the link immediately, ensuring eth_stop() will see dev->port_usb as NULL and safely bail out.
Title		usb: gadget: u_ether: Fix race between gether_disconnect and eth_stop
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/6ad77458637b78ec655e3da5f112c862e6690a9d https://git.kernel.org/stable/c/8ff689edfeceb5e3ec1623e09af2b2aa0f1098a8 https://git.kernel.org/stable/c/a259ba0bce3b192c04334499690372a250f7d0b1 https://git.kernel.org/stable/c/bbb09bb89ffa571475f66daca9482b974cd29d6a https://git.kernel.org/stable/c/e1e7a66584bf0aff3becb73c19fa31527889fc9e https://git.kernel.org/stable/c/e1eabb072c75681f78312c484ccfffb7430f206e https://git.kernel.org/stable/c/f02980594deef751e42133714aee25228f1494c6 https://git.kernel.org/stable/c/f6813c2b2ae78def76b69e0f9d72f80e4a1c4aca

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-01T14:14:28.231Z

Updated: 2026-05-01T14:14:28.231Z

Reserved: 2026-03-09T15:48:24.134Z

Link: CVE-2026-31728

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-01T15:16:35.333

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-31728

Redhat

Severity : Moderate

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31728 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-02T12:00:14Z

Weaknesses

CWE-367

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object