The vulnerability stems from an unbalanced reference count within the USB gadget subset implementation. The geth_alloc() routine correctly increments the reference counter for a gadget function, but the corresponding geth_free() routine fails to decrement it. This oversight leaves an orphaned reference count that prevents the function’s configuration from being properly cleaned up via configfs, potentially leading to resource exhaustion and kernel instability. The improper reference handling could cause the remaining reference to linger until the system reboots or until further operations trigger a kernel panic, effectively disabling the USB gadget subsystem until a remedy is applied.

All Linux kernel releases that include the usb:gadget:f_subset controller and do not incorporate the fix (commits referenced in the advisory). Specific affected versions are not enumerated in the CVE data, so any prior to the patch that uses this gadget function is considered vulnerable.

The CVSS score is not disclosed and EPSS data is unavailable. The vulnerability is not listed in CISA’s KEV catalog, indicating that no widespread exploitation has been reported. The likely attack requires the ability to manipulate the gadget configuration through configfs, which is typically available to privileged (root) users or processes that can attach a USB device. An attacker with such privileges could repeatedly unlink and re‑attach gadget functions, gradually exhausting system resources or triggering a kernel crash. Remote exploitation from an untrusted USB device is not explicitly supported by the data but is plausible if the device can inject the configuration changes. Overall, the risk remains moderate due to the lack of publicly known exploits and the high privilege requirement.