CVE-2026-31606

Vulnerability

In the Linux kernel's USB gadget f_hid driver, a use-after-free-like condition occurs when the driver is unbound and then rebound while the corresponding /dev/hidg* character device is still open. The cdev_init function is called during bind, which reinitializes the cdev structure even though existing references (e.g., from an open file descriptor) may still be using it. This unsafe behavior can lead to a kernel oops [1].

Exploitation

An attacker with local access and the ability to trigger a USB gadget unbind/bind cycle (e.g., by manipulating the gadget configuration via configfs or sysfs) can exploit this flaw. The attack requires that the /dev/hidg* device is already opened by a process, which could be a legitimate user or a malicious actor. No special privileges beyond the ability to reconfigure the USB gadget are needed, though the attacker must have access to the gadget's control interface.

Impact

Successful exploitation results in a kernel oops, causing a denial of service (system crash or hang). The CVSS v3 score of 5.5 (Medium) reflects the local attack vector and the requirement for the device to be open, but the impact is limited to availability. There is no evidence of privilege escalation or data leakage from the available sources.

Mitigation

The fix, committed as [1] and backported to stable kernels [2][3][4], replaces the use of cdev_init with cdev_alloc, which allocates a new cdev on the heap during each bind. This ensures that the old cdev remains valid until all references are released. Users should apply the latest kernel updates from their distribution or compile a patched kernel.