GHSA-8R63-5629-3MPC

Vulnerability from github – Published: 2026-05-01 15:30 – Updated: 2026-05-01 15:30
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: f_hid: move list and spinlock inits from bind to alloc

There was an issue when you did the following: - setup and bind an hid gadget - open /dev/hidg0 - use the resulting fd in EPOLL_CTL_ADD - unbind the UDC - bind the UDC - use the fd in EPOLL_CTL_DEL

When CONFIG_DEBUG_LIST was enabled, a list_del corruption was reported within remove_wait_queue (via ep_remove_wait_queue). After some debugging I found out that the queues, which f_hid registers via poll_wait were the problem. These were initialized using init_waitqueue_head inside hidg_bind. So effectively, the bind function re-initialized the queues while there were still items in them.

The solution is to move the initialization from hidg_bind to hidg_alloc to extend their lifetimes to the lifetime of the function instance.

Additionally, I found many other possibly problematic init calls in the bind function, which I moved as well.

Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2026-31721"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-01T15:16:34Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_hid: move list and spinlock inits from bind to alloc\n\nThere was an issue when you did the following:\n- setup and bind an hid gadget\n- open /dev/hidg0\n- use the resulting fd in EPOLL_CTL_ADD\n- unbind the UDC\n- bind the UDC\n- use the fd in EPOLL_CTL_DEL\n\nWhen CONFIG_DEBUG_LIST was enabled, a list_del corruption was reported\nwithin remove_wait_queue (via ep_remove_wait_queue). After some\ndebugging I found out that the queues, which f_hid registers via\npoll_wait were the problem. These were initialized using\ninit_waitqueue_head inside hidg_bind. So effectively, the bind function\nre-initialized the queues while there were still items in them.\n\nThe solution is to move the initialization from hidg_bind to hidg_alloc\nto extend their lifetimes to the lifetime of the function instance.\n\nAdditionally, I found many other possibly problematic init calls in the\nbind function, which I moved as well.",
  "id": "GHSA-8r63-5629-3mpc",
  "modified": "2026-05-01T15:30:33Z",
  "published": "2026-05-01T15:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31721"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/13440c0db227c5db01da751ed966dde4cdd2ea18"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/26a879a41ed960b3fb4ec773ef2788c515c0e488"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4e0a88254ad59f6c53a34bf5fa241884ec09e8b2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5d1bb391ceeebb28327703dd07af8c6324af298f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/81aee4500055876883658b024b6fb61801afe134"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8ec6a58586f195a88479edcdb0b8027c39f12d03"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/de93e0862169b5539e00c2b9980b93fd80c37c0d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f7d00ee1c8082c8a134340aaf16d71a27e29c362"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.