CVE-2026-31721
Published: May 1, 2026
Modified: May 11, 2026
Description
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_hid: move list and spinlock inits from bind to alloc There was an issue when you did the following: - setup and bind an hid gadget - open /dev/hidg0 - use the resulting fd in EPOLL_CTL_ADD - unbind the UDC - bind the UDC - use the fd in EPOLL_CTL_DEL When CONFIG_DEBUG_LIST was enabled, a list_del corruption was reported within remove_wait_queue (via ep_remove_wait_queue). After some debugging I found out that the queues, which f_hid registers via poll_wait were the problem. These were initialized using init_waitqueue_head inside hidg_bind. So effectively, the bind function re-initialized the queues while there were still items in them. The solution is to move the initialization from hidg_bind to hidg_alloc to extend their lifetimes to the lifetime of the function instance. Additionally, I found many other possibly problematic init calls in the bind function, which I moved as well.
| Vendor | Product | Versions |
|---|---|---|
Linux | Linux | affected cb382536052fcc7713988869b54a81137069e5a9 - < 13440c0db227c5db01da751ed966dde4cdd2ea18affected cb382536052fcc7713988869b54a81137069e5a9 - < de93e0862169b5539e00c2b9980b93fd80c37c0daffected cb382536052fcc7713988869b54a81137069e5a9 - < 81aee4500055876883658b024b6fb61801afe134affected cb382536052fcc7713988869b54a81137069e5a9 - < 8ec6a58586f195a88479edcdb0b8027c39f12d03affected cb382536052fcc7713988869b54a81137069e5a9 - < f7d00ee1c8082c8a134340aaf16d71a27e29c362+3 more versions |
Linux | Linux | affected 3.19unaffected 0 - < 3.19unaffected 5.10.253 - <= 5.10.*unaffected 5.15.203 - <= 5.15.*unaffected 6.1.169 - <= 6.1.*+5 more versions |
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now