CVE-2022-50704
Description
In the Linux kernel, the following vulnerability has been resolved:
USB: gadget: Fix use-after-free during usb config switch
In the process of switching USB config from rndis to other config, if the hardware does not support the ->pullup callback, or the hardware encounters a low probability fault, both of them may cause the ->pullup callback to fail, which will then cause a system panic (use after free).
The gadget drivers sometimes need to be unloaded regardless of the hardware's behavior.
Analysis as follows: ======================================================================= (1) write /config/usb_gadget/g1/UDC "none"
gether_disconnect+0x2c/0x1f8 rndis_disable+0x4c/0x74 composite_disconnect+0x74/0xb0 configfs_composite_disconnect+0x60/0x7c usb_gadget_disconnect+0x70/0x124 usb_gadget_unregister_driver+0xc8/0x1d8 gadget_dev_desc_UDC_store+0xec/0x1e4
(2) rm /config/usb_gadget/g1/configs/b.1/f1
rndis_deregister+0x28/0x54 rndis_free+0x44/0x7c usb_put_function+0x14/0x1c config_usb_cfg_unlink+0xc4/0xe0 configfs_unlink+0x124/0x1c8 vfs_unlink+0x114/0x1dc
(3) rmdir /config/usb_gadget/g1/functions/rndis.gs4
panic+0x1fc/0x3d0 do_page_fault+0xa8/0x46c do_mem_abort+0x3c/0xac el1_sync_handler+0x40/0x78 0xffffff801138f880 rndis_close+0x28/0x34 eth_stop+0x74/0x110 dev_close_many+0x48/0x194 rollback_registered_many+0x118/0x814 unregister_netdev+0x20/0x30 gether_cleanup+0x1c/0x38 rndis_attr_release+0xc/0x14 kref_put+0x74/0xb8 configfs_rmdir+0x314/0x374
If gadget->ops->pullup() return an error, function rndis_close() will be called, then it will causes a use-after-free problem. =======================================================================
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Use-after-free in Linux kernel USB gadget driver during config switch from RNDIS when hardware pullup fails, leading to panic.
Vulnerability
Description A use-after-free vulnerability exists in the Linux kernel's USB gadget subsystem when switching the USB configuration from RNDIS to another configuration. The root cause is that if the hardware's ->pullup callback fails (either because the hardware does not support it or due to a transient fault), the driver proceeds to free resources that are later accessed, causing a use-after-free condition [1].
Exploitation
Exploitation requires local access to trigger a USB configuration switch via sysfs, typically by writing "none" to /config/usb_gadget/g1/UDC and then removing the RNDIS function. The attacker must be able to cause the pullup operation to fail, which can occur naturally on hardware that does not support the callback or under low-probability fault conditions [1].
Impact
Successful exploitation results in a system panic due to the use-after-free, leading to a denial of service. In some cases, it may also allow an attacker to execute arbitrary code if they can control the freed memory, though this is not explicitly confirmed in the available sources [1].
Mitigation
The vulnerability is fixed by commit 30e926aa835a in the Linux kernel stable tree. Systems should update to a kernel version containing this patch. No workaround is currently available [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
330e926aa835a99a58ac42d9bafdc12887f2bVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.