CVE-2026-31756 - Vulnerability Details

- usb: dwc2: gadget: Fix spin_lock/unlock mismatch in dwc2_hsotg_udc_stop()

Description

In the Linux kernel, the following vulnerability has been resolved:

usb: dwc2: gadget: Fix spin_lock/unlock mismatch in dwc2_hsotg_udc_stop()

dwc2_gadget_exit_clock_gating() internally calls call_gadget() macro,
which expects hsotg->lock to be held since it does spin_unlock/spin_lock
around the gadget driver callback invocation.

However, dwc2_hsotg_udc_stop() calls dwc2_gadget_exit_clock_gating()
without holding the lock. This leads to:
- spin_unlock on a lock that is not held (undefined behavior)
- The lock remaining held after dwc2_gadget_exit_clock_gating() returns,
causing a deadlock when spin_lock_irqsave() is called later in the
same function.

Fix this by acquiring hsotg->lock before calling
dwc2_gadget_exit_clock_gating() and releasing it afterwards, which
satisfies the locking requirement of the call_gadget() macro.

Published: 2026-05-01

Score: 7.0 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel's dwc2 gadget subsystem contains a mismatch between spin_lock and spin_unlock in dwc2_hsotg_udc_stop. The function calls dwc2_gadget_exit_clock_gating without holding the required lock, which causes a spin_unlock on a lock that is not held (undefined behavior). The lock remains held after the call, and subsequent attempts to acquire it with spin_lock_irqsave fail, resulting in a deadlock. An attacker could trigger this by interfacing with the USB gadget driver, potentially freezing the system or causing a kernel panic. This flaw could be exploited locally on a system that runs the unpatched kernel and has a USB gadget device that invokes the buggy path. The likely attack vector is inferred to be local via interaction with the USB gadget subsystem.

Affected Systems

All Linux kernel builds that include the dwc2 gadget subsystem and still contain the unfixed version of dwc2_hsotg_udc_stop. No specific release list is provided, so any kernel version that has this code before the fix may be vulnerable.

Risk and Exploitability

The CVSS score is 7.0, indicating a high-impact denial of service. The EPSS score is not available. An attacker would need local or physical access to a USB gadget device to trigger the deadlock; remote exploitation is not implied. The flaw is not listed in CISA KEV, suggesting no confirmed exploits yet, but the potential for system unavailability remains significant.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`5cb3cb3db317c58d50b68f3ca3bb8343ea9d1acd`	affected	< e9fcca3e87463013d595c65c2189ffaa32ad3b50
`1ac826cebc2776f91569f2aa9c9c3da2375d2096`	affected	< 8ffe31acb3b77a30ae34d01719a269881569fb7f
`41732f9febdccb4f9b87c13cb915d717d68ccafd`	affected	< beab10429439e20708036a66fb0d97ffb79da6a1
`ba78c2b3254c4a458c01776612e8a573e12f8d26`	affected	< 4ed9d2dd9f29828c311db6ec4b8e0d34bfd6d6a4
`af076a41f8a28faf9ceb9dd2d88aef2c202ef39a`	affected	< 61937f686290494998236c680ce0836b8dd63a3f
`af076a41f8a28faf9ceb9dd2d88aef2c202ef39a`	affected	< 51b62286fc668c6eb74dee7624ec0beec3c5a0ed
`af076a41f8a28faf9ceb9dd2d88aef2c202ef39a`	affected	< 9bb4b5ed7f8c4f95cc556bdf042b0ba2fa13557a
`b39c203690fa1678daecc60f347e43c8b593b969`	affected	—

Linux

affected

Version	Status	Constraints
`6.16`	affected	—
`0`	unaffected	< 6.16
`5.15.203`	unaffected	≤ 5.15.*
`6.1.168`	unaffected	≤ 6.1.*
`6.6.134`	unaffected	≤ 6.6.*
`6.12.81`	unaffected	≤ 6.12.*
`6.18.22`	unaffected	≤ 6.18.*
`6.19.12`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[5cb3cb3db317c58d50b68f3ca3bb8343ea9d1acd,e9fcca3e87463013d595c65c2189ffaa32ad3b50)`	affected	code_commit	—
`[1ac826cebc2776f91569f2aa9c9c3da2375d2096,8ffe31acb3b77a30ae34d01719a269881569fb7f)`	affected	code_commit	—
`[41732f9febdccb4f9b87c13cb915d717d68ccafd,beab10429439e20708036a66fb0d97ffb79da6a1)`	affected	code_commit	—
`[ba78c2b3254c4a458c01776612e8a573e12f8d26,4ed9d2dd9f29828c311db6ec4b8e0d34bfd6d6a4)`	affected	code_commit	—
`[af076a41f8a28faf9ceb9dd2d88aef2c202ef39a,61937f686290494998236c680ce0836b8dd63a3f)`	affected	code_commit	—
`[af076a41f8a28faf9ceb9dd2d88aef2c202ef39a,51b62286fc668c6eb74dee7624ec0beec3c5a0ed)`	affected	code_commit	—
`[af076a41f8a28faf9ceb9dd2d88aef2c202ef39a,9bb4b5ed7f8c4f95cc556bdf042b0ba2fa13557a)`	affected	code_commit	—
`[b39c203690fa1678daecc60f347e43c8b593b969,*]`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.16`	affected	semver	—
`[0,6.16)`	unaffected	semver	—
`[5.15.203,5.15.*]`	unaffected	semver	—
`[6.1.168,6.1.*]`	unaffected	semver	—
`[6.6.134,6.6.*]`	unaffected	semver	—
`[6.12.81,6.12.*]`	unaffected	semver	—
`[6.18.22,6.18.*]`	unaffected	semver	—
`[6.19.12,6.19.*]`	unaffected	semver	—
`[7.0,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the running kernel to a version that contains the spin_lock/unlock fix for dwc2_hsotg_udc_stop.
If immediate kernel update is not feasible, disable the USB gadget functionality (e.g., by removing the dwc2 module or setting the corresponding kernel parameter) to prevent entry into the buggy code path.
Monitor vendor security advisories for updates and plan to apply the patch when a new kernel release is available.

Generated by OpenCVE AI on May 2, 2026 at 10:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4561-1	linux-6.1 security update
Debian DSA	DSA-6243-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00024.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/4ed9d2dd9f29828c311db6ec4b8e0d34bfd6d6a4
https://git.kernel.org/stable/c/51b62286fc668c6eb74dee7624ec0beec3c5a0ed
https://git.kernel.org/stable/c/61937f686290494998236c680ce0836b8dd63a3f
https://git.kernel.org/stable/c/8ffe31acb3b77a30ae34d01719a269881569fb7f
https://git.kernel.org/stable/c/9bb4b5ed7f8c4f95cc556bdf042b0ba2fa13557a
https://git.kernel.org/stable/c/beab10429439e20708036a66fb0d97ffb79da6a1
https://git.kernel.org/stable/c/e9fcca3e87463013d595c65c2189ffaa32ad3b50
https://lore.kernel.org/linux-cve-announce/2026050144-CVE-2026-31756-87ec@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31756
https://www.cve.org/CVERecord?id=CVE-2026-31756

History

Sat, 02 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-832
References		https://lore.kernel.org/linux-cve-announce/2026050144-CVE-2026-31756-87ec@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31756 https://www.cve.org/CVERecord?id=CVE-2026-31756
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Fri, 01 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: usb: dwc2: gadget: Fix spin_lock/unlock mismatch in dwc2_hsotg_udc_stop() dwc2_gadget_exit_clock_gating() internally calls call_gadget() macro, which expects hsotg->lock to be held since it does spin_unlock/spin_lock around the gadget driver callback invocation. However, dwc2_hsotg_udc_stop() calls dwc2_gadget_exit_clock_gating() without holding the lock. This leads to: - spin_unlock on a lock that is not held (undefined behavior) - The lock remaining held after dwc2_gadget_exit_clock_gating() returns, causing a deadlock when spin_lock_irqsave() is called later in the same function. Fix this by acquiring hsotg->lock before calling dwc2_gadget_exit_clock_gating() and releasing it afterwards, which satisfies the locking requirement of the call_gadget() macro.
Title		usb: dwc2: gadget: Fix spin_lock/unlock mismatch in dwc2_hsotg_udc_stop()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/4ed9d2dd9f29828c311db6ec4b8e0d34bfd6d6a4 https://git.kernel.org/stable/c/51b62286fc668c6eb74dee7624ec0beec3c5a0ed https://git.kernel.org/stable/c/61937f686290494998236c680ce0836b8dd63a3f https://git.kernel.org/stable/c/8ffe31acb3b77a30ae34d01719a269881569fb7f https://git.kernel.org/stable/c/9bb4b5ed7f8c4f95cc556bdf042b0ba2fa13557a https://git.kernel.org/stable/c/beab10429439e20708036a66fb0d97ffb79da6a1 https://git.kernel.org/stable/c/e9fcca3e87463013d595c65c2189ffaa32ad3b50

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-01T14:14:47.000Z

Updated: 2026-05-01T14:14:47.000Z

Reserved: 2026-03-09T15:48:24.139Z

Link: CVE-2026-31756

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-01T15:16:38.580

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-31756

Redhat

Severity : Moderate

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31756 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-02T10:30:40Z

Weaknesses

CWE-832

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object