CVE-2026-31754
Description
In the Linux kernel, the following vulnerability has been resolved:
usb: cdns3: gadget: fix state inconsistency on gadget init failure
When cdns3_gadget_start() fails, the DRD hardware is left in gadget mode while software state remains INACTIVE, creating hardware/software state inconsistency.
When switching to host mode via sysfs: echo host > /sys/class/usb_role/13180000.usb-role-switch/role
The role state is not set to CDNS_ROLE_STATE_ACTIVE due to the error, so cdns_role_stop() skips cleanup because state is still INACTIVE. This violates the DRD controller design specification (Figure22), which requires returning to idle state before switching roles.
This leads to a synchronous external abort in xhci_gen_setup() when setting up the host controller:
[ 516.440698] configfs-gadget 13180000.usb: failed to start g1: -19 [ 516.442035] cdns-usb3 13180000.usb: Failed to add gadget [ 516.443278] cdns-usb3 13180000.usb: set role 2 has failed ... [ 1301.375722] xhci-hcd xhci-hcd.1.auto: xHCI Host Controller [ 1301.377716] Internal error: synchronous external abort: 96000010 [#1] PREEMPT SMP [ 1301.382485] pc : xhci_gen_setup+0xa4/0x408 [ 1301.393391] backtrace: ... xhci_gen_setup+0xa4/0x408 <-- CRASH xhci_plat_setup+0x44/0x58 usb_add_hcd+0x284/0x678 ... cdns_role_set+0x9c/0xbc <-- Role switch
Fix by calling cdns_drd_gadget_off() in the error path to properly clean up the DRD gadget state.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A state inconsistency in the Linux kernel bug in cdns3 gadget init failure can cause a synchronous external abort when switching to host mode.
Vulnerability
In the Linux kernel's USB cdns3 driver, when cdns3_gadget_start() fails, the DRD (Dual Role Device) hardware remains in gadget mode while the software state is set to INACTIVE. This creates a hardware/software state inconsistency that violates the DRD controller design specification, which requires returning to an idle state before switching roles [1].
Exploitation
The inconsistency is triggered when a user attempts to switch the role to host mode via sysfs (e.g., echo host > /sys/class/usb_role/13180000.usb-role-switch/role). Because the role state is not set to CDNS_ROLE_STATE_INACTIVE due to the earlier gadget init failure, cdns_role_stop() skips cleanup, leaving the hardware in an inconsistent state. This leads to a synchronous external abort in xhci_gen_setup() during host controller setup [1].
Impact
An attacker with local access and the ability to trigger a gadget init failure (e.g., by causing -19 error) and then switch roles can cause a kernel crash (synchronous external abort), resulting in a denial of service. The crash trace shows the abort occurs in xhci_gen_setup during cdns_role_set [1].
Mitigation
The fix, committed in the Linux kernel stable tree, calls cdns_drd_gadget_off() in the error path of cdns3_gadget_start() to properly clean up the DRD gadget state and avoid the inconsistency [1]. Users should apply the latest stable kernel updates containing this commit.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 6 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=5.4,<5.15.203
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/5a85599ca4d2584d89dc69f4fc49303b75a42338nvdPatch
- git.kernel.org/stable/c/9b1d301fbae837bf6979a19030b81d869bb15f7anvdPatch
- git.kernel.org/stable/c/b490f0e477d26d29ed51e5dc47e3b9bd31bcb49fnvdPatch
- git.kernel.org/stable/c/c32f8748d70c8fc77676ad92ed76cede17bf2c48nvdPatch
- git.kernel.org/stable/c/c7e475ae3a5593c5db21b3b7dca4ba8bdac9b47fnvdPatch
- git.kernel.org/stable/c/cfca84f5986afceb63a3adf39d4a98e915aebbc2nvdPatch
- git.kernel.org/stable/c/fb7110a052467098967284ef14d306810b354937nvdPatch
News mentions
0No linked articles in our index yet.