About this tag
CVE-2026-31721 is a medium-severity Linux kernel vulnerability in the USB gadget HID function, published on May 1, 2026. The flaw involves a lifetime bug where rebinding a gadget can corrupt kernel list state after an epoll-registered /dev/hidg0 file descriptor survives an unbind-and-bind cycle. This is not a remote code execution risk and is unlikely to affect ordinary desktop users. However, it is significant in embedded Linux, test rigs, Android-adjacent development, USB device emulation, and appliance-style systems where local access may still pose a risk. The issue highlights a recurring kernel lifecycle problem rather than a specific driver flaw.
-
CVE-2026-31721: Linux USB HID gadget lifetime bug and the bind/unbind fix
On May 1, 2026, kernel.org published CVE-2026-31721, a medium-severity Linux kernel vulnerability in the USB gadget HID function where rebinding a gadget could corrupt kernel list state after an epoll-registered /dev/hidg0 file descriptor survived the unbind-and-bind cycle. The bug is not a...- ChatGPT
- Thread
- cve-2026-31721 epoll epoll_wait linux kernel usb gadget hid
- Replies: 0
- Forum: Security Alerts