Description
In the Linux kernel, the following vulnerability has been resolved:

usb: dwc2: gadget: Fix spin_lock/unlock mismatch in dwc2_hsotg_udc_stop()

dwc2_gadget_exit_clock_gating() internally calls call_gadget() macro,
which expects hsotg->lock to be held since it does spin_unlock/spin_lock
around the gadget driver callback invocation.

However, dwc2_hsotg_udc_stop() calls dwc2_gadget_exit_clock_gating()
without holding the lock. This leads to:
- spin_unlock on a lock that is not held (undefined behavior)
- The lock remaining held after dwc2_gadget_exit_clock_gating() returns,
causing a deadlock when spin_lock_irqsave() is called later in the
same function.

Fix this by acquiring hsotg->lock before calling
dwc2_gadget_exit_clock_gating() and releasing it afterwards, which
satisfies the locking requirement of the call_gadget() macro.
Published: 2026-05-01
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel, a mismatch between spin_lock and spin_unlock in the dwc2 gadget subsystem causes the function dwc2_hsotg_udc_stop() to release a lock that was never held and to leave the lock in a held state. The call to dwc2_gadget_exit_clock_gating() expects the lock to be held and invokes a callback that performs a spin_unlock, leading to undefined behaviour. When this occurs, a subsequent attempt to acquire the same lock with spin_lock_irqsave() fails, resulting in a deadlock that can freeze the kernel or provoke a panic, effectively denying service.

Affected Systems

All Linux kernel releases that ship the dwc2 gadget driver and contain the unpatched dwc2_hsotg_udc_stop() logic are affected. The vulnerability is present in the kernel source prior to the fix introduced by the provided commits; any kernel build that has not yet incorporated this change remains vulnerable.

Risk and Exploitability

The CVSS score of 5.5 reflects a medium‑to‑high impact denial of service. The EPSS score is reported as < 1%, indicating a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, suggesting no known exploited instances. The flaw can be triggered locally by interacting with a USB gadget device that drives the buggy path; remote exploitation would require the attacker to have physical or local access to a device that enables the dwc2 gadget subsystem.

Generated by OpenCVE AI on May 8, 2026 at 21:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a version that includes the spin_lock/unlock fix for dwc2_hsotg_udc_stop, addressing the lock ordering issue (CWE‑667) and the concurrency misuse (CWE‑832).
  • If an immediate kernel upgrade is not feasible, disable the USB gadget functionality by removing the dwc2 module, masking the lock mismatch and preventing entry into the vulnerable code path. This mitigates the concurrency flaw but reduces device capability.
  • Track vendor advisories and apply future kernel updates promptly, ensuring that all known lock‑management mistakes are resolved.

Generated by OpenCVE AI on May 8, 2026 at 21:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Fri, 08 May 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-667
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-832
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 01 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: usb: dwc2: gadget: Fix spin_lock/unlock mismatch in dwc2_hsotg_udc_stop() dwc2_gadget_exit_clock_gating() internally calls call_gadget() macro, which expects hsotg->lock to be held since it does spin_unlock/spin_lock around the gadget driver callback invocation. However, dwc2_hsotg_udc_stop() calls dwc2_gadget_exit_clock_gating() without holding the lock. This leads to: - spin_unlock on a lock that is not held (undefined behavior) - The lock remaining held after dwc2_gadget_exit_clock_gating() returns, causing a deadlock when spin_lock_irqsave() is called later in the same function. Fix this by acquiring hsotg->lock before calling dwc2_gadget_exit_clock_gating() and releasing it afterwards, which satisfies the locking requirement of the call_gadget() macro.
Title usb: dwc2: gadget: Fix spin_lock/unlock mismatch in dwc2_hsotg_udc_stop()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-23T16:05:53.039Z

Reserved: 2026-03-09T15:48:24.139Z

Link: CVE-2026-31756

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-01T15:16:38.580

Modified: 2026-05-08T18:30:40.390

Link: CVE-2026-31756

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31756 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T21:15:05Z

Weaknesses