usb: gadget: f_hid: move list and spinlock inits from bind to alloc

Summary

CVECVE-2026-31721
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-05-01 15:16:34 UTC
Updated2026-05-06 20:56:34 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_hid: move list and spinlock inits from bind to alloc There was an issue when you did the following: - setup and bind an hid gadget - open /dev/hidg0 - use the resulting fd in EPOLL_CTL_ADD - unbind the UDC - bind the UDC - use the fd in EPOLL_CTL_DEL When CONFIG_DEBUG_LIST was enabled, a list_del corruption was reported within remove_wait_queue (via ep_remove_wait_queue). After some debugging I found out that the queues, which f_hid registers via poll_wait were the problem. These were initialized using init_waitqueue_head inside hidg_bind. So effectively, the bind function re-initialized the queues while there were still items in them. The solution is to move the initialization from hidg_bind to hidg_alloc to extend their lifetimes to the lifetime of the function instance. Additionally, I found many other possibly problematic init calls in the bind function, which I moved as well.

Risk And Classification

Primary CVSS: v3.1 5.5 MEDIUM from [email protected]

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS: 0.000240000 probability, percentile 0.068060000 (date 2026-05-05)

Problem Types: NVD-CWE-noinfo

CVSS v3.1 Breakdown

Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Linux Linux Kernel All All All All

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected cb382536052fcc7713988869b54a81137069e5a9 13440c0db227c5db01da751ed966dde4cdd2ea18 git Not specified
CNA Linux Linux affected cb382536052fcc7713988869b54a81137069e5a9 de93e0862169b5539e00c2b9980b93fd80c37c0d git Not specified
CNA Linux Linux affected cb382536052fcc7713988869b54a81137069e5a9 81aee4500055876883658b024b6fb61801afe134 git Not specified
CNA Linux Linux affected cb382536052fcc7713988869b54a81137069e5a9 8ec6a58586f195a88479edcdb0b8027c39f12d03 git Not specified
CNA Linux Linux affected cb382536052fcc7713988869b54a81137069e5a9 f7d00ee1c8082c8a134340aaf16d71a27e29c362 git Not specified
CNA Linux Linux affected cb382536052fcc7713988869b54a81137069e5a9 5d1bb391ceeebb28327703dd07af8c6324af298f git Not specified
CNA Linux Linux affected cb382536052fcc7713988869b54a81137069e5a9 26a879a41ed960b3fb4ec773ef2788c515c0e488 git Not specified
CNA Linux Linux affected cb382536052fcc7713988869b54a81137069e5a9 4e0a88254ad59f6c53a34bf5fa241884ec09e8b2 git Not specified
CNA Linux Linux affected 3.19 Not specified
CNA Linux Linux unaffected 3.19 semver Not specified
CNA Linux Linux unaffected 5.10.253 5.10.* semver Not specified
CNA Linux Linux unaffected 5.15.203 5.15.* semver Not specified
CNA Linux Linux unaffected 6.1.169 6.1.* semver Not specified
CNA Linux Linux unaffected 6.6.135 6.6.* semver Not specified
CNA Linux Linux unaffected 6.12.81 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.22 6.18.* semver Not specified
CNA Linux Linux unaffected 6.19.12 6.19.* semver Not specified
CNA Linux Linux unaffected 7.0 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/26a879a41ed960b3fb4ec773ef2788c515c0e488 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/de93e0862169b5539e00c2b9980b93fd80c37c0d 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/4e0a88254ad59f6c53a34bf5fa241884ec09e8b2 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/81aee4500055876883658b024b6fb61801afe134 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/8ec6a58586f195a88479edcdb0b8027c39f12d03 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/f7d00ee1c8082c8a134340aaf16d71a27e29c362 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/5d1bb391ceeebb28327703dd07af8c6324af298f 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/13440c0db227c5db01da751ed966dde4cdd2ea18 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report