VYPR
← All advisories
Medium severity5.5NVD Advisory· Published May 1, 2026· Updated May 6, 2026

CVE-2026-31721

CVE-2026-31721

Description

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: f_hid: move list and spinlock inits from bind to alloc

There was an issue when you did the following: - setup and bind an hid gadget - open /dev/hidg0 - use the resulting fd in EPOLL_CTL_ADD - unbind the UDC - bind the UDC - use the fd in EPOLL_CTL_DEL

When CONFIG_DEBUG_LIST was enabled, a list_del corruption was reported within remove_wait_queue (via ep_remove_wait_queue). After some debugging I found out that the queues, which f_hid registers via poll_wait were the problem. These were initialized using init_waitqueue_head inside hidg_bind. So effectively, the bind function re-initialized the queues while there were still items in them.

The solution is to move the initialization from hidg_bind to hidg_alloc to extend their lifetimes to the lifetime of the function instance.

Additionally, I found many other possibly problematic init calls in the bind function, which I moved as well.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel's f_hid USB gadget driver, wait queue initialization in bind caused list corruption on UDC rebind; fixed by moving init to alloc.

The vulnerability resides in the Linux kernel's USB f_hid gadget driver. When a HID gadget is bound and a user opens /dev/hidg0, the driver initializes wait queues and other data structures in the hidg_bind function. If the UDC is then unbound and rebound while the file descriptor remains open and is used with epoll, the bind function re-initializes the wait queues while they still contain entries, leading to a list_del corruption when the epoll file descriptor is later removed [1].

Exploitation requires a specific sequence: setup and bind a HID gadget, open /dev/hidg0, add the fd to an epoll instance (EPOLL_CTL_ADD), unbind the UDC, bind the UDC again, and then attempt to remove the fd from epoll (EPOLL_CTL_DEL). This sequence triggers the corruption, which is detectable when CONFIG_DEBUG_LIST is enabled, but may cause memory corruption in production kernels.

The impact is a kernel list corruption that can lead to a system crash or potentially exploitable memory corruption. An attacker with local access and the ability to control USB gadget binding and unbinding could trigger this condition, though the attack surface is limited to systems using the USB gadget subsystem with HID functions.

The fix, committed in the Linux kernel stable tree, moves the initialization of wait queues and other data structures from hidg_bind to hidg_alloc, ensuring they are initialized once per function instance and not re-initialized while in use [1]. Users should update to a patched kernel version containing this commit.

References
  1. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

8
  • Linux/Kernel7 versions
    cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 6 more
    • cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=3.19,<5.10.253
    • cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
  • Linux/f_hidllm-create

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

8

News mentions

1