Bug 2464381 (CVE-2026-31721) - CVE-2026-31721 kernel: usb: gadget: f_hid: move list and spinlock inits from bind to alloc
Summary: CVE-2026-31721 kernel: usb: gadget: f_hid: move list and spinlock inits from ...
Keywords:
Status: NEW
Alias: CVE-2026-31721
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-01 15:03 UTC by OSIDB Bzimport
Modified: 2026-05-01 20:46 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-01 15:03:31 UTC 
In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: f_hid: move list and spinlock inits from bind to alloc

There was an issue when you did the following:
- setup and bind an hid gadget
- open /dev/hidg0
- use the resulting fd in EPOLL_CTL_ADD
- unbind the UDC
- bind the UDC
- use the fd in EPOLL_CTL_DEL

When CONFIG_DEBUG_LIST was enabled, a list_del corruption was reported
within remove_wait_queue (via ep_remove_wait_queue). After some
debugging I found out that the queues, which f_hid registers via
poll_wait were the problem. These were initialized using
init_waitqueue_head inside hidg_bind. So effectively, the bind function
re-initialized the queues while there were still items in them.

The solution is to move the initialization from hidg_bind to hidg_alloc
to extend their lifetimes to the lifetime of the function instance.

Additionally, I found many other possibly problematic init calls in the
bind function, which I moved as well.
Comment 1 Keith Grant 2026-05-01 20:44:40 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026050133-CVE-2026-31721-3c17@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.