Medium severity5.5NVD Advisory· Published Apr 24, 2026· Updated Apr 29, 2026
CVE-2026-31606
CVE-2026-31606
Description
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_hid: don't call cdev_init while cdev in use
When calling unbind, then bind again, cdev_init reinitialized the cdev, even though there may still be references to it. That's the case when the /dev/hidg* device is still opened. This obviously unsafe behavior like oopes.
This fixes this by using cdev_alloc to put the cdev on the heap. That way, we can simply allocate a new one in hidg_bind.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
10- osv-coords9 versionspkg:apk/chainguard/linux-aws-6.18pkg:apk/chainguard/linux-azure-6.18pkg:apk/chainguard/linux-gcp-6.18pkg:apk/chainguard/linux-qemu-6.12pkg:apk/chainguard/linux-qemu-6.18pkg:apk/chainguard/linux-qemu-6.18-bootc-boot-installedpkg:apk/chainguard/linux-vmware-6.12pkg:apk/chainguard/linux-vmware-6.18pkg:rpm/opensuse/kernel-source&distro=openSUSE%20Tumbleweed
< 6.18.31-r0+ 8 more
- (no CPE)range: < 6.18.31-r0
- (no CPE)range: < 6.18.31-r0
- (no CPE)range: < 6.18.31-r0
- (no CPE)range: < 6.12.85-r0
- (no CPE)range: < 6.18.31-r0
- (no CPE)range: < 6.18.31-r0
- (no CPE)range: < 6.12.85-r0
- (no CPE)range: < 6.18.31-r0
- (no CPE)range: < 7.0.3-1.1
Patches
Vulnerability mechanics
References
5- git.kernel.org/stable/c/5a229016ca3ac551294ec59770be9da94ec4bf63nvdPatch
- git.kernel.org/stable/c/75ecc46828ec377dd5692c677168ef6d64fd7123nvdPatch
- git.kernel.org/stable/c/81ebd43cc0d6d106ce7b6ccbf7b5e40ca7f5503dnvdPatch
- git.kernel.org/stable/c/c6c0d13db5d0f8d465eabc14bd23d2b6a7247a43nvdPatch
- git.kernel.org/stable/c/eb6ef6185f2054a341ec70d7e2165f5381744215nvdPatch
News mentions
0No linked articles in our index yet.