CVE-2026-31723
Description
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_subset: Fix net_device lifecycle with device_move
The net_device is allocated during function instance creation and registered during the bind phase with the gadget device as its sysfs parent. When the function unbinds, the parent device is destroyed, but the net_device survives, resulting in dangling sysfs symlinks:
console:/ # ls -l /sys/class/net/usb0 lrwxrwxrwx ... /sys/class/net/usb0 -> /sys/devices/platform/.../gadget.0/net/usb0 console:/ # ls -l /sys/devices/platform/.../gadget.0/net/usb0 ls: .../gadget.0/net/usb0: No such file or directory
Use device_move() to reparent the net_device between the gadget device tree and /sys/devices/virtual across bind and unbind cycles. During the final unbind, calling device_move(NULL) moves the net_device to the virtual device tree before the gadget device is destroyed. On rebinding, device_move() reparents the device back under the new gadget, ensuring proper sysfs topology and power management ordering.
To maintain compatibility with legacy composite drivers (e.g., multi.c), the bound flag is used to indicate whether the network device is shared and pre-registered during the legacy driver's bind phase.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free style lifecycle bug in Linux kernel's USB f_subset gadget driver allows dangling sysfs symlinks after gadget unbind.
Root
Cause
The Linux kernel's USB f_subset gadget function allocates a net_device during instance creation and registers it in sysfs with the gadget device as parent. When the gadget unbinds, the parent gadget device is destroyed, but the net_device is not reparented, leaving dangling sysfs symlinks. This was reported in the kernel stable commit series, where the fix uses device_move() to reparent the network device [1][2][3][4].
Exploitation
An attacker withMedium severity (CVSS 3.1 5.5) and low attack complexity, an attacker with physical USB access or ability to trigger gadget unbind (e.g., via hotplug) could cause repeated bind/unbind cycles. No authentication is required, as the attack relies on manipulating the USB gadget lifecycle, which is accessible from user space through sysfs or USB events [1].
Impact
After unbind, userspace utilities (e.g., ls /sys/class/net/usb0) follow a broken symlink to a non-existent path, potentially causing confusion, denial of service for network management tools, or incorrect state tracking. The dangling reference could also affect power management ordering, as the kernel expects a correct device tree hierarchy [1][2].
Mitigation
The fix has been backported to stable kernels via commits [1], [2], [3], and [4]. Users should update to kernels containing these commits. No workaround short of patching is available. The vulnerability is not listed as exploited in the wild (no KEV mention), but given the commonality of USB gadgets, updating is recommended.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 6 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=3.11,<6.12.81
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
1- Patch Tuesday - May 2026Rapid7 Blog · May 13, 2026