CVE-2026-31728 Overview
CVE-2026-31728 is a race condition vulnerability in the Linux kernel's USB gadget u_ether driver. The flaw occurs between gether_disconnect() and eth_stop(), leading to a NULL pointer dereference and a subsequent kernel hardlockup. When eth_stop() runs concurrently with gether_disconnect() tearing down endpoints, it accesses a cleared endpoint descriptor while holding dev->lock. The crash leaves the lock held, causing gether_disconnect() to spin forever and deadlock the core. The issue is classified under [CWE-362] (Concurrent Execution using Shared Resource with Improper Synchronization) and affects systems using the USB Ethernet gadget functionality, including NCM (Network Control Model) configurations.
Critical Impact
A local attacker triggering USB gadget reconfiguration during teardown can cause a kernel hardlockup, resulting in denial of service on the affected host.
Affected Products
- Linux Kernel (multiple stable branches prior to the fix)
- Linux Kernel 7.0 release candidates rc1 through rc6
- Systems using the USB gadget u_ether driver with functions such as NCM
Discovery Timeline
- 2026-05-01 - CVE-2026-31728 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-31728
Vulnerability Analysis
The vulnerability resides in drivers/usb/gadget/function/u_ether.c. The u_ether driver provides Ethernet-over-USB functionality used by gadget functions like NCM, ECM, and RNDIS. Two code paths can run concurrently against the same eth_dev structure: the network stack invoking eth_stop() to bring the interface down, and the USB composite layer invoking gether_disconnect() when an alternate setting changes.
gether_disconnect() clears the endpoint descriptors as part of tearing down the link, but only resets dev->port_usb to NULL at the end of the function. During this window, eth_stop() observes a non-NULL dev->port_usb and proceeds to call usb_ep_enable() on an endpoint whose descriptor has already been cleared. This dereferences a NULL pointer inside __dwc3_gadget_ep_enable() on DesignWare USB3 controllers.
Root Cause
The root cause is delayed clearing of the dev->port_usb pointer in gether_disconnect(). The cleanup ordering allows eth_stop() to observe a stale link reference while endpoint descriptors are already invalid. Because eth_stop() crashes while holding dev->lock, the spinlock is never released. The thread executing gether_disconnect() then spins on _raw_spin_lock() indefinitely, producing a hardlockup observable in composite_setup() and ncm_set_alt() call paths.
Attack Vector
Exploitation requires local access on a system exposing the USB gadget interface. An attacker with the ability to bring the network interface up and down while triggering USB configuration changes (such as alternate setting selection on an NCM function) can race the two code paths. Successful exploitation produces a kernel NULL pointer dereference followed by a hardlockup, denying service to the affected core or system. The CVSS vector indicates the attack requires local access, low privileges, and high attack complexity due to the timing window required to win the race.
No public exploit code or proof-of-concept is available for this vulnerability. The fix relocates the clearing of dev->port_usb to the start of gether_disconnect() under dev->lock, ensuring eth_stop() observes a NULL pointer and bails out safely.
Detection Methods for CVE-2026-31728
Indicators of Compromise
- Kernel panic logs containing Unable to handle kernel NULL pointer dereference with a call trace through __dwc3_gadget_ep_enable, usb_ep_enable, and eth_stop.
- Hardlockup watchdog messages with stack traces showing queued_spin_lock_slowpath followed by gether_disconnect and ncm_set_alt.
- Unexpected system or core hangs correlated with USB gadget reconfiguration events.
Detection Strategies
- Monitor /var/log/kern.log and dmesg output for NULL pointer dereferences originating in u_ether.c or dwc3 gadget code paths.
- Audit running kernel versions against the patched commits listed in the kernel.org stable tree advisories to identify unpatched hosts.
- Correlate USB device disconnect events with kernel oops or soft lockup messages on systems running gadget mode.
Monitoring Recommendations
- Enable kernel.hardlockup_panic and kernel.softlockup_panic sysctls to surface hangs deterministically for incident triage.
- Forward kernel logs to a centralized SIEM and alert on signatures referencing gether_disconnect, eth_stop, or __dwc3_gadget_ep_enable faults.
- Track kernel package versions across the fleet to verify patch deployment status.
How to Mitigate CVE-2026-31728
Immediate Actions Required
- Apply the upstream kernel patches referenced in the kernel.org stable tree commits, including f6813c2b2ae78def76b69e0f9d72f80e4a1c4aca and the corresponding stable backports.
- Update to a Linux kernel build that incorporates the fix moving dev->port_usb clearing to the start of gether_disconnect().
- Restrict local access to systems running USB gadget mode and limit which users can manipulate network interfaces or USB function configurations.
Patch Information
The fix has been merged into the mainline Linux kernel and backported to multiple stable branches. Refer to the Linux kernel stable commit f6813c2b and related backports including commit 6ad77458, commit a259ba0b, and commit e1eabb07. Distribution-specific kernel updates should be tracked through vendor advisories.
Workarounds
- Disable or unload the u_ether and dependent gadget function modules (such as usb_f_ncm) on systems where USB gadget Ethernet is not required.
- Avoid scripted or automated workflows that rapidly toggle the gadget Ethernet interface up and down while reconfiguring USB functions.
- Restrict CAP_NET_ADMIN and access to gadget configfs paths to trusted administrators only.
# Check current kernel version and verify patch status
uname -r
# Unload u_ether-dependent modules if gadget Ethernet is not required
sudo modprobe -r usb_f_ncm
sudo modprobe -r u_ether
# Enable hardlockup detection to surface this class of issue
sudo sysctl -w kernel.hardlockup_panic=1
sudo sysctl -w kernel.softlockup_panic=1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
