cve-2026-31721

About this tag
CVE-2026-31721 is a medium-severity Linux kernel vulnerability in the USB gadget HID function, published on May 1, 2026. The flaw involves a lifetime bug where rebinding a gadget can corrupt kernel list state after an epoll-registered /dev/hidg0 file descriptor survives an unbind-and-bind cycle. This is not a remote code execution risk and is unlikely to affect ordinary desktop users. However, it is significant in embedded Linux, test rigs, Android-adjacent development, USB device emulation, and appliance-style systems where local access may still pose a risk. The issue highlights a recurring kernel lifecycle problem rather than a specific driver flaw.
  1. CVE-2026-31721: Linux USB HID gadget lifetime bug and the bind/unbind fix

    On May 1, 2026, kernel.org published CVE-2026-31721, a medium-severity Linux kernel vulnerability in the USB gadget HID function where rebinding a gadget could corrupt kernel list state after an epoll-registered /dev/hidg0 file descriptor survived the unbind-and-bind cycle. The bug is not a...