CVE-2026-31724
Description
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_eem: Fix net_device lifecycle with device_move
The net_device is allocated during function instance creation and registered during the bind phase with the gadget device as its sysfs parent. When the function unbinds, the parent device is destroyed, but the net_device survives, resulting in dangling sysfs symlinks:
console:/ # ls -l /sys/class/net/usb0 lrwxrwxrwx ... /sys/class/net/usb0 -> /sys/devices/platform/.../gadget.0/net/usb0 console:/ # ls -l /sys/devices/platform/.../gadget.0/net/usb0 ls: .../gadget.0/net/usb0: No such file or directory
Use device_move() to reparent the net_device between the gadget device tree and /sys/devices/virtual across bind and unbind cycles. During the final unbind, calling device_move(NULL) moves the net_device to the virtual device tree before the gadget device is destroyed. On rebinding, device_move() reparents the device back under the new gadget, ensuring proper sysfs topology and power management ordering.
To maintain compatibility with legacy composite drivers (e.g., multi.c), the bound flag is used to indicate whether the network device is shared and pre-registered during the legacy driver's bind phase.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's f_eem USB gadget, a dangling sysfs symlink occurs when net_device outlives its parent gadget device during unbind, fixed by reparenting.
Vulnerability
Description
In the Linux kernel's USB Ethernet Emulation Model (f_eem) gadget driver, the net_device is allocated during function instance creation and registered with the gadget device as its sysfs parent during bind. However, when the function unbinds, the parent gadget device is destroyed while the net_device remains, leading to dangling sysfs symlinks. This results in inconsistent sysfs topology, as the symlink in /sys/class/net/usb0 points to a non-existent path [1].
Exploitation
An attacker with the ability to trigger USB gadget bind/unbind cycles (e.g., by physically connecting/disconnecting a USB device or via sysfs interactions) can cause the dangling sysfs entry. No special privileges are required beyond access to trigger unbind operations, which may be available to local users or via automated USB events.
Impact
The dangling sysfs symlink can lead to denial of service (DoS) when users or tools attempt to access the network device via sysfs, encountering "No such file or directory" errors. Additionally, improper power management ordering may occur due to the broken parent relationship. The vulnerability does not directly enable code execution but degrades system reliability.
Mitigation
The fix introduces device_move() to reparent the net_device between the gadget device tree and /sys/devices/virtual across bind and unbind cycles, ensuring proper sysfs cleanup. Patches have been applied to stable kernel branches [1]. Users should update to the latest patched kernel version.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 6 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=3.11.1,<6.12.81
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
1- Patch Tuesday - May 2026Rapid7 Blog · May 13, 2026