CVE-2026-31721
- Source
- https://cve.org/CVERecord?id=CVE-2026-31721
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31721.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-31721
- Downstream
- Published
- 2026-05-01T14:14:23.492Z
- Modified
- 2026-05-18T05:59:54.371383067Z
- Summary
- usb: gadget: f_hid: move list and spinlock inits from bind to alloc
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_hid: move list and spinlock inits from bind to alloc
There was an issue when you did the following: - setup and bind an hid gadget - open /dev/hidg0 - use the resulting fd in EPOLLCTLADD - unbind the UDC - bind the UDC - use the fd in EPOLLCTLDEL
When CONFIGDEBUGLIST was enabled, a listdel corruption was reported within removewaitqueue (via epremovewaitqueue). After some debugging I found out that the queues, which fhid registers via pollwait were the problem. These were initialized using initwaitqueuehead inside hidg_bind. So effectively, the bind function re-initialized the queues while there were still items in them.
The solution is to move the initialization from hidgbind to hidgalloc to extend their lifetimes to the lifetime of the function instance.
Additionally, I found many other possibly problematic init calls in the bind function, which I moved as well.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31721.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/stable/c/13440c0db227c5db01da751ed966dde4cdd2ea18
- https://git.kernel.org/stable/c/26a879a41ed960b3fb4ec773ef2788c515c0e488
- https://git.kernel.org/stable/c/4e0a88254ad59f6c53a34bf5fa241884ec09e8b2
- https://git.kernel.org/stable/c/5d1bb391ceeebb28327703dd07af8c6324af298f
- https://git.kernel.org/stable/c/81aee4500055876883658b024b6fb61801afe134
- https://git.kernel.org/stable/c/8ec6a58586f195a88479edcdb0b8027c39f12d03
- https://git.kernel.org/stable/c/de93e0862169b5539e00c2b9980b93fd80c37c0d
- https://git.kernel.org/stable/c/f7d00ee1c8082c8a134340aaf16d71a27e29c362
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31721.json
- https://nvd.nist.gov/vuln/detail/CVE-2026-31721
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedcb382536052fcc7713988869b54a81137069e5a9Fixed13440c0db227c5db01da751ed966dde4cdd2ea18Fixedde93e0862169b5539e00c2b9980b93fd80c37c0dFixed81aee4500055876883658b024b6fb61801afe134Fixed8ec6a58586f195a88479edcdb0b8027c39f12d03Fixedf7d00ee1c8082c8a134340aaf16d71a27e29c362Fixed5d1bb391ceeebb28327703dd07af8c6324af298fFixed26a879a41ed960b3fb4ec773ef2788c515c0e488Fixed4e0a88254ad59f6c53a34bf5fa241884ec09e8b2
Linux / Kernel
Package
- Name
- Kernel
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced3.19.0Fixed5.10.253
- Type
- ECOSYSTEM
- Events
-
Introduced5.11.0Fixed5.15.203
- Type
- ECOSYSTEM
- Events
-
Introduced5.16.0Fixed6.1.169
- Type
- ECOSYSTEM
- Events
-
Introduced6.2.0Fixed6.6.135
- Type
- ECOSYSTEM
- Events
-
Introduced6.7.0Fixed6.12.81
- Type
- ECOSYSTEM
- Events
-
Introduced6.13.0Fixed6.18.22
- Type
- ECOSYSTEM
- Events
-
Introduced6.19.0Fixed6.19.12