CVE-2026-31728

Source
https://cve.org/CVERecord?id=CVE-2026-31728
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31728.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-31728
Downstream
Published
2026-05-01T14:14:28.231Z
Modified
2026-07-08T08:00:04.961194369Z
Summary
usb: gadget: u_ether: Fix race between gether_disconnect and eth_stop
Details

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: uether: Fix race between getherdisconnect and eth_stop

A race condition between getherdisconnect() and ethstop() leads to a NULL pointer dereference. Specifically, if ethstop() is triggered concurrently while getherdisconnect() is tearing down the endpoints, eth_stop() attempts to access the cleared endpoint descriptor, causing the following NPE:

Unable to handle kernel NULL pointer dereference Call trace: _dwc3gadgetepenable+0x60/0x788 dwc3gadgetepenable+0x70/0xe4 usbepenable+0x60/0x15c ethstop+0xb8/0x108

Because ethstop() crashes while holding the dev->lock, the thread running getherdisconnect() fails to acquire the same lock and spins forever, resulting in a hardlockup:

Core - Debugging Information for Hardlockup core(7) Call trace: queuedspinlockslowpath+0x94/0x488 rawspinlock+0x64/0x6c getherdisconnect+0x19c/0x1e8 ncmsetalt+0x68/0x1a0 compositesetup+0x6a0/0xc50

The root cause is that the clearing of dev->portusb in getherdisconnect() is delayed until the end of the function.

Move the clearing of dev->portusb to the very beginning of getherdisconnect() while holding dev->lock. This cuts off the link immediately, ensuring ethstop() will see dev->portusb as NULL and safely bail out.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31728.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
2b3d942c4878084a37991a65e66512c02b8fa2ad
Fixed
f02980594deef751e42133714aee25228f1494c6
Fixed
e1e7a66584bf0aff3becb73c19fa31527889fc9e
Fixed
a259ba0bce3b192c04334499690372a250f7d0b1
Fixed
f6813c2b2ae78def76b69e0f9d72f80e4a1c4aca
Fixed
bbb09bb89ffa571475f66daca9482b974cd29d6a
Fixed
6ad77458637b78ec655e3da5f112c862e6690a9d
Fixed
8ff689edfeceb5e3ec1623e09af2b2aa0f1098a8
Fixed
e1eabb072c75681f78312c484ccfffb7430f206e

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31728.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.6.27
Fixed
5.10.253
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.203
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.169
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.134
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.81
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.22
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.12

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31728.json"