CVE-2026-31778

A flaw was found in the Linux kernel's ALSA caiaq driver. A local user with a specially crafted USB device, containing a product name with many non-ASCII or non-space characters, can trigger a stack out-of-bounds read. This vulnerability allows the system to read past the end of a stack buffer,...

CVE-2026-31757

A flaw was found in the Linux kernel. Specifically, within the USB subsystem usbio, a memory leak occurs when a Universal Serial Bus USB Request Block URB submission fails during the device probing process. This failure to free the allocated URB memory can lead to a gradual depletion of system...

CVE-2026-31758

A flaw was found in the Linux kernel's usbtmc module. This vulnerability occurs because pending anchored Universal Serial Bus USB Request Blocks URBs are not flushed or killed when the usbtmcrelease function is called. This can result in use-after-free errors, which could potentially lead to syst...

CVE-2026-31756

A flaw was found in the Linux kernel's dwc2 USB gadget driver. A local user could trigger an incorrect locking sequence within the dwc2hsotgudcstop function. This issue, a spinlock/unlock mismatch, can lead to a system deadlock, causing a Denial of Service DoS for the affected system...

CVE-2026-31754

A flaw was found in the Linux kernel's USB subsystem, specifically within the cdns3 gadget driver. A local user could exploit this vulnerability by attempting to switch the USB role to host mode after a gadget initialization failure. This state inconsistency can lead to a system crash, resulting ...

CVE-2026-31728

A flaw was found in the Linux kernel's usb: gadget: uether module. A race condition between the getherdisconnect and ethstop functions can lead to a NULL pointer dereference. This occurs when ethstop is triggered concurrently while getherdisconnect is tearing down USB endpoints. The vulnerability...

CVE-2026-31725

A flaw was found in the Linux kernel's usb: gadget: fecm component. When a USB gadget function unbinds, the associated netdevice may not be properly de-parented from the destroyed gadget device. This can lead to dangling symbolic links in the /sys/class/net/ directory, potentially causing issues...

CVE-2026-31723

A flaw was found in the Linux kernel's usb: gadget: fsubset component. This vulnerability arises from an issue in how network device resources are managed during the unbinding of a USB gadget function. When the parent device is destroyed, the associated network device may persist, creating...

CVE-2026-31722

A flaw was found in the Linux kernel's USB gadget RNDIS Remote Network Driver Interface Specification function. During the unbinding process of a USB gadget device, the associated network device netdevice may not be correctly reparented, resulting in dangling symbolic links within the system's...

CVE-2026-31721

A flaw was found in the Linux kernel's USB Human Interface Device HID gadget driver fhid. When a USB gadget is unbound and then rebound while file descriptors are still actively using its wait queues, the driver can re-initialize these queues while they still contain items. This can lead to list...

CVE-2026-31720

A flaw was found in the Linux kernel's USB gadget audio class 1 UAC1 legacy function. A remote attacker could exploit this vulnerability by sending a malicious USB control request, causing an out-of-bounds write on the stack. This could lead to a denial of service or potentially arbitrary code...

CVE-2026-31760

In the Linux kernel, the following vulnerability has been resolved: gpib: lpvousb: fix memory leak on disconnect The driver iterates over the registered USB interfaces during GPIB attach and takes a reference to their USB devices until a match is found. These references are never released which...

CVE-2026-31756

In the Linux kernel, the following vulnerability has been resolved: usb: dwc2: gadget: Fix spinlock/unlock mismatch in dwc2hsotgudcstop dwc2gadgetexitclockgating internally calls callgadget macro, which expects hsotg-lock to be held since it does spinunlock/spinlock around the gadget driver...

CVE-2026-31755

In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: gadget: fix NULL pointer dereference in epqueue When the gadget endpoint is disabled or not yet configured, the ep-desc pointer can be NULL. This leads to a NULL pointer dereference when cdns3gadgetepqueue is called,...

CVE-2026-31759

In the Linux kernel, the following vulnerability has been resolved: usb: ulpi: fix double free in ulpiregisterinterface error path When deviceregister fails, ulpiregister calls putdevice on ulpi-dev. The device release callback ulpidevrelease drops the OF node reference and frees ulpi, but the...

CVE-2026-31726

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: uvc: fix NULL pointer dereference during unbind race Commit b81ac4395bbe "usb: gadget: uvc: allow for application to cleanly shutdown" introduced two stages of synchronization waits totaling 1500ms in uvcfunctionunbi...

CVE-2026-31728

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: uether: Fix race between getherdisconnect and ethstop A race condition between getherdisconnect and ethstop leads to a NULL pointer dereference. Specifically, if ethstop is triggered concurrently while getherdisconne...

CVE-2026-31727

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: uether: Fix NULL pointer deref in ethgetdrvinfo Commit ec35c1969650 "usb: gadget: fncm: Fix netdevice lifecycle with devicemove" reparents the gadget device to /sys/devices/virtual during unbind, clearing the gadget...

CVE-2026-31720

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: fuac1legacy: validate control request size faudiocomplete copies req-length bytes into a 4-byte stack variable: u32 data = 0; memcpy&data, req-buf, req-length; req-length is derived from the host-controlled USB reque...

CVE-2026-31722

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: frndis: Fix netdevice lifecycle with devicemove The netdevice is allocated during function instance creation and registered during the bind phase with the gadget device as its sysfs parent. When the function unbinds,...