CVE-2026-53037 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

HID: usbhid: fix deadlock in hid_post_reset()

You can build a USB device that includes a HID component
and a storage or UAS component. The components can be reset
only together. That means that hid_pre_reset() and hid_post_reset()
are in the block IO error handling. Hence no memory allocation
used in them may do block IO because the IO can deadlock
on the mutex held while resetting a device and calling the
interface drivers.
Use GFP_NOIO for all allocations in them.

Published: 2026-06-24

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a deadlock in the HID subsystem of the Linux kernel that occurs when a USB device containing both HID and storage or UAS components is reset. During the reset sequence, hid_post_reset() allocates memory while a mutex held for the reset can block on block I/O, causing the system to deadlock. The effect is a denial of service, leaving the system unresponsive until rebooted. The weakness is a concurrency locking flaw that prevents the kernel from completing a reset operation.

Affected Systems

All Linux operands using the Linux kernel prior to the commit that introduced the GFP_NOIO change are affected. This encompasses mainstream distributions such as Ubuntu, Debian, Fedora, Red Hat Enterprise Linux, CentOS, and any other system shipping kernels that lack the fix. Any installation that has not incorporated the patch is vulnerable.

Risk and Exploitability

The EPSS score is not available and the vulnerability is not listed in CISA KEV, but its impact is substantial because a single device that can trigger the deadlock can render the entire kernel non‑responsive. The attack requires a physical USB device capable of resetting both HID and storage components simultaneously, which limits the exposure to environments where such devices are present. The risk is therefore moderate to high in constrained environments, and the severity is high due to the potential for complete system downtime.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`dc3c78e43469063c5bf4b744214508f94c4129f9`	affected	< 56d318ef8766f0deb08517fd8f3007256ea7997d
`dc3c78e43469063c5bf4b744214508f94c4129f9`	affected	< 90550af0aad5e75110073c501e4fb42fca20ff80
`dc3c78e43469063c5bf4b744214508f94c4129f9`	affected	< eeceb6f4dd42065fdda3a526a93d08b8fb90fb69
`dc3c78e43469063c5bf4b744214508f94c4129f9`	affected	< ad4505d2ab3aaac6498f17649608e70e80034bf2
`dc3c78e43469063c5bf4b744214508f94c4129f9`	affected	< 4e900465296ce9fb12ed47dc77389b8dde95bfe0
`dc3c78e43469063c5bf4b744214508f94c4129f9`	affected	< c7abd0e6c87441e99c759d40eb6fe589634e3041
`dc3c78e43469063c5bf4b744214508f94c4129f9`	affected	< b3d16611d7cd78e9d5c6baa19b61b7caf9f1ab5e
`dc3c78e43469063c5bf4b744214508f94c4129f9`	affected	< 8df2c1b47ee3cd50fd454f75c7a7e2ae8a6adf72

Linux

affected

Version	Status	Constraints
`3.5`	affected	—
`0`	unaffected	< 3.5
`5.10.258`	unaffected	≤ 5.10.*
`5.15.209`	unaffected	≤ 5.15.*
`6.1.175`	unaffected	≤ 6.1.*
`6.6.141`	unaffected	≤ 6.6.*
`6.12.91`	unaffected	≤ 6.12.*
`6.18.33`	unaffected	≤ 6.18.*
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the commit fixing the deadlock—this patch invokes GFP_NOIO for allocations in hid_post_reset().
For systems that cannot be immediately upgraded, rebuild the kernel or apply the specific patch as a backport so that the corrected allocation flags are in effect.
Where device reset is unavoidable, restrict or disable USB devices that combine HID and storage or UAS functionality, or use firmware that prevents simultaneous reset of those components.

Generated by OpenCVE AI on June 24, 2026 at 18:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/4e900465296ce9fb12ed47dc77389b8dde95bfe0
https://git.kernel.org/stable/c/56d318ef8766f0deb08517fd8f3007256ea7997d
https://git.kernel.org/stable/c/8df2c1b47ee3cd50fd454f75c7a7e2ae8a6adf72
https://git.kernel.org/stable/c/90550af0aad5e75110073c501e4fb42fca20ff80
https://git.kernel.org/stable/c/ad4505d2ab3aaac6498f17649608e70e80034bf2
https://git.kernel.org/stable/c/b3d16611d7cd78e9d5c6baa19b61b7caf9f1ab5e
https://git.kernel.org/stable/c/c7abd0e6c87441e99c759d40eb6fe589634e3041
https://git.kernel.org/stable/c/eeceb6f4dd42065fdda3a526a93d08b8fb90fb69

History

Wed, 24 Jun 2026 19:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-1027

Wed, 24 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: HID: usbhid: fix deadlock in hid_post_reset() You can build a USB device that includes a HID component and a storage or UAS component. The components can be reset only together. That means that hid_pre_reset() and hid_post_reset() are in the block IO error handling. Hence no memory allocation used in them may do block IO because the IO can deadlock on the mutex held while resetting a device and calling the interface drivers. Use GFP_NOIO for all allocations in them.
Title		HID: usbhid: fix deadlock in hid_post_reset()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/4e900465296ce9fb12ed47dc77389b8dde95bfe0 https://git.kernel.org/stable/c/56d318ef8766f0deb08517fd8f3007256ea7997d https://git.kernel.org/stable/c/8df2c1b47ee3cd50fd454f75c7a7e2ae8a6adf72 https://git.kernel.org/stable/c/90550af0aad5e75110073c501e4fb42fca20ff80 https://git.kernel.org/stable/c/ad4505d2ab3aaac6498f17649608e70e80034bf2 https://git.kernel.org/stable/c/b3d16611d7cd78e9d5c6baa19b61b7caf9f1ab5e https://git.kernel.org/stable/c/c7abd0e6c87441e99c759d40eb6fe589634e3041 https://git.kernel.org/stable/c/eeceb6f4dd42065fdda3a526a93d08b8fb90fb69

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T16:29:44.311Z

Updated: 2026-06-24T16:29:44.311Z

Reserved: 2026-06-09T07:44:35.380Z

Link: CVE-2026-53037

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T19:00:06Z

Weaknesses

CWE-1027

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object