CVE-2026-31722
Description
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_rndis: Fix net_device lifecycle with device_move
The net_device is allocated during function instance creation and registered during the bind phase with the gadget device as its sysfs parent. When the function unbinds, the parent device is destroyed, but the net_device survives, resulting in dangling sysfs symlinks:
console:/ # ls -l /sys/class/net/usb0 lrwxrwxrwx ... /sys/class/net/usb0 -> /sys/devices/platform/.../gadget.0/net/usb0 console:/ # ls -l /sys/devices/platform/.../gadget.0/net/usb0 ls: .../gadget.0/net/usb0: No such file or directory
Use device_move() to reparent the net_device between the gadget device tree and /sys/devices/virtual across bind and unbind cycles. During the final unbind, calling device_move(NULL) moves the net_device to the virtual device tree before the gadget device is destroyed. On rebinding, device_move() reparents the device back under the new gadget, ensuring proper sysfs topology and power management ordering.
To maintain compatibility with legacy composite drivers (e.g., multi.c), the borrowed_net flag is used to indicate whether the network device is shared and pre-registered during the legacy driver's bind phase.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A Linux kernel vulnerability in USB gadget f_rndis causes dangling sysfs symlinks due to improper net_device lifecycle management across bind/unbind cycles, fixed by reparenting via device_move().
Vulnerability
Description
The Linux kernel's USB gadget subsystem, specifically the f_rndis function, suffers from a net_device lifecycle management flaw. When the RNDIS function unbinds, the parent gadget device is destroyed, but the allocated net_device remains, leading to dangling sysfs symlinks (e.g., /sys/class/net/usb0 pointing to a non-existent path). This occurs because the net_device is registered with the gadget device as its sysfs parent, and upon unbind, no reparenting is performed [1].
Attack
Vector and Prerequisites
An attacker can trigger this vulnerability by causing the USB gadget to unbind and rebind, for example by physically detaching and reattaching the USB device or by manipulating USB gadget configuration through sysfs or configfs. No special privileges are required beyond the ability to trigger gadget unbind/bind cycles, which may be accessible to local users with physical access or control of the USB subsystem.
Impact
After an unbind operation, any access to the stale sysfs symlink (e.g., via ls or readlink) will fail with "No such file or directory". This can lead to user confusion or denial of service for tools relying on the network device sysfs entries. No code execution or privilege escalation is known to be possible. The impact is limited to sysfs inconsistency.
Mitigation
The fix has been applied to multiple stable kernel branches (e.g., commit e367599529dc in the mainline). Users should update their kernel to a patched version. A workaround is to avoid unbinding the RNDIS function while it is in use, but the proper solution is to apply the kernel update [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 6 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=3.11,<6.12.81
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
1- Patch Tuesday - May 2026Rapid7 Blog · May 13, 2026