CVE-2026-31725

Root

Cause

The vulnerability in the Linux kernel's USB gadget f_ecm function driver arises from a lifecycle management flaw. The net_device is allocated during function instance creation and registered with the gadget device as its sysfs parent during the bind phase. However, when the function unbinds, the parent gadget device is destroyed while the net_device persists, leaving dangling sysfs symlinks (e.g., /sys/class/net/usb0 pointing to a nonexistent path) [1]. This breaks sysfs topology and can cause errors in userspace tools and power management ordering.

Exploitation

Scenario

While this is not a remotely exploitable vulnerability, it can be triggered by any user or process capable of causing a USB gadget function to unbind and rebind. Typical scenarios include reconfiguring a USB gadget device or dynamic loading/unloading of composite drivers. The dangling symlinks do not grant direct privilege escalation, but they can lead to system instability, confuse network management utilities, and potentially enable information leak through stale device references.

Impact

An attacker with the ability to manipulate USB gadget bindings (e.g., via physical access or certain administrative actions) could repeatedly exploit this condition. The primary impact is a denial of service (system availability) due to failed operations on the orphaned net_device and unpredictable behavior of the networking stack. The CVSS v3 score of 5.5 (Medium) reflects the moderate severity of this availability issue.

Mitigation

The fix has been applied in multiple Linux kernel stable commits. The main commit [1] and its backports [2][3][4] introduce the use of device_move() to reparent the net_device to /sys/devices/virtual before the gadget device is destroyed during unbind, and to move it back under the new gadget on rebind. Users should apply the latest kernel updates from their distribution. No workaround is available for unpatched kernels.