CVE-2026-31721
Description
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_hid: move list and spinlock inits from bind to alloc There was an issue when you did the following: - setup and bind an hid gadget - open /dev/hidg0 - use the resulting fd in EPOLL_CTL_ADD - unbind the UDC - bind the UDC - use the fd in EPOLL_CTL_DEL When CONFIG_DEBUG_LIST was enabled, a list_del corruption was reported within remove_wait_queue (via ep_remove_wait_queue). After some debugging I found out that the queues, which f_hid registers via poll_wait were the problem. These were initialized using init_waitqueue_head inside hidg_bind. So effectively, the bind function re-initialized the queues while there were still items in them. The solution is to move the initialization from hidg_bind to hidg_alloc to extend their lifetimes to the lifetime of the function instance. Additionally, I found many other possibly problematic init calls in the bind function, which I moved as well.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
CVE-2026-31721 NameCVE-2026-31721 DescriptionIn the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_hid: move list and spinlock inits from bind to alloc There was an issue when you did the following: - setup and bind an hid gadget - open /dev/hidg0 - use the resulting fd in EPOLL_CTL_ADD - unbind the UDC - bind the UDC - use the fd in EPOLL_CTL_DEL Whenβ¦
CVE-2026-31721
| Name | CVE-2026-31721 |
| Description | In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_hid: move list and spinlock inits from bind to alloc There was an issue when you did the following: - setup and bind an hid gadget - open /dev/hidg0 - use the resulting fd in EPOLL_CTL_ADD - unbind the UDC - bind the UDC - use the fd in EPOLL_CTL_DEL When CONFIG_DEBUG_LIST was enabled, a list_del corruption was reported within remove_wait_queue (via ep_remove_wait_queue). After some debugging I found out that the queues, which f_hid registers via poll_wait were the problem. These were initialized using init_waitqueue_head inside hidg_bind. So effectively, the bind function re-initialized the queues while there were still items in them. The solution is to move the initialization from hidg_bind to hidg_alloc to extend their lifetimes to the lifetime of the function instance. Additionally, I found many other possibly problematic init calls in the bind function, which I moved as well. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-4561-1, DSA-6243-1 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| linux (PTS) | bullseye | 5.10.223-1 | vulnerable |
| bullseye (security) | 5.10.257-1 | vulnerable | |
| bookworm | 6.1.170-3 | fixed | |
| bookworm (security) | 6.1.172-1 | fixed | |
| trixie | 6.12.86-1 | fixed | |
| trixie (security) | 6.12.90-1 | fixed | |
| forky | 7.0.9-1 | fixed | |
| sid | 7.0.10-1 | fixed | |
| linux-6.1 (PTS) | bullseye (security) | 6.1.174-1~deb11u1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| linux | source | bookworm | 6.1.170-1 | DSA-6243-1 | ||
| linux | source | trixie | 6.12.85-1 | |||
| linux | source | (unstable) | 6.19.12-1 | |||
| linux-6.1 | source | bullseye | 6.1.170-1~deb11u1 | DLA-4561-1 |
Notes
https://git.kernel.org/linus/4e0a88254ad59f6c53a34bf5fa241884ec09e8b2 (7.0-rc7)
Apply commands
https://git.kernel.org/linus/4e0a88254ad59f6c53a34bf5fa241884ec09e8b2 (7.0-rc7)OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | bookworm | fixed | 6.1.170-1 |
| debian | bullseye | fixed | 6.1.170-1~deb11u1 |
| debian | forky | fixed | 6.19.12-1 |
| debian | sid | fixed | 6.19.12-1 |
| debian | trixie | fixed | 6.12.85-1 |
| linux-kernel | affected | 5.10.253 | |
| linux-kernel | 7.0 | affected | |
| windows | affected | |
References
- https://git.kernel.org/stable/c/13440c0db227c5db01da751ed966dde4cdd2ea18
- https://git.kernel.org/stable/c/26a879a41ed960b3fb4ec773ef2788c515c0e488
- https://git.kernel.org/stable/c/4e0a88254ad59f6c53a34bf5fa241884ec09e8b2
- https://git.kernel.org/stable/c/5d1bb391ceeebb28327703dd07af8c6324af298f
- https://git.kernel.org/stable/c/81aee4500055876883658b024b6fb61801afe134
- https://git.kernel.org/stable/c/8ec6a58586f195a88479edcdb0b8027c39f12d03
- https://git.kernel.org/stable/c/de93e0862169b5539e00c2b9980b93fd80c37c0d
- https://git.kernel.org/stable/c/f7d00ee1c8082c8a134340aaf16d71a27e29c362
- https://www.suse.com/security/cve/CVE-2026-31721.html
- https://security-tracker.debian.org/tracker/CVE-2026-31721
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31721
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.