0.0
CVE-2026-31729 - usb: typec: ucsi: validate connector number in ucsi_notify_common()
In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: validate connector number in ucsi_notify_common() The connector number extracted from CCI via UCSI_CCI_CONNECTOR() is a 7-bit field (0-127) that is used to index into the connector array in ucsi_connector_changeβ¦
0.0
CVE-2026-31728 - usb: gadget: u_ether: Fix race between gether_disconnect and eth_stop
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: u_ether: Fix race between gether_disconnect and eth_stop A race condition between gether_disconnect() and eth_stop() leads to a NULL pointer dereference. Specifically, if eth_stop() is triggered concurrently while geβ¦
0.0
CVE-2026-31727 - usb: gadget: u_ether: Fix NULL pointer deref in eth_get_drvinfo
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: u_ether: Fix NULL pointer deref in eth_get_drvinfo Commit ec35c1969650 ("usb: gadget: f_ncm: Fix net_device lifecycle with device_move") reparents the gadget device to /sys/devices/virtual during unbind, clearing theβ¦
0.0
CVE-2026-31726 - usb: gadget: uvc: fix NULL pointer dereference during unbind race
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: uvc: fix NULL pointer dereference during unbind race Commit b81ac4395bbe ("usb: gadget: uvc: allow for application to cleanly shutdown") introduced two stages of synchronization waits totaling 1500ms in uvc_function_β¦
0.0
CVE-2026-31725 - usb: gadget: f_ecm: Fix net_device lifecycle with device_move
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ecm: Fix net_device lifecycle with device_move The net_device is allocated during function instance creation and registered during the bind phase with the gadget device as its sysfs parent. When the function unbindβ¦
0.0
CVE-2026-31724 - usb: gadget: f_eem: Fix net_device lifecycle with device_move
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_eem: Fix net_device lifecycle with device_move The net_device is allocated during function instance creation and registered during the bind phase with the gadget device as its sysfs parent. When the function unbindβ¦
0.0
CVE-2026-31723 - usb: gadget: f_subset: Fix net_device lifecycle with device_move
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_subset: Fix net_device lifecycle with device_move The net_device is allocated during function instance creation and registered during the bind phase with the gadget device as its sysfs parent. When the function unbβ¦
0.0
CVE-2026-31722 - usb: gadget: f_rndis: Fix net_device lifecycle with device_move
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_rndis: Fix net_device lifecycle with device_move The net_device is allocated during function instance creation and registered during the bind phase with the gadget device as its sysfs parent. When the function unbiβ¦
0.0
CVE-2026-31721 - usb: gadget: f_hid: move list and spinlock inits from bind to alloc
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_hid: move list and spinlock inits from bind to alloc There was an issue when you did the following: - setup and bind an hid gadget - open /dev/hidg0 - use the resulting fd in EPOLL_CTL_ADD - unbind the UDC - bind tβ¦
0.0
CVE-2026-31720 - usb: gadget: f_uac1_legacy: validate control request size
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_uac1_legacy: validate control request size f_audio_complete() copies req->length bytes into a 4-byte stack variable: u32 data = 0; memcpy(&data, req->buf, req->length); req->length is derived from the host-coβ¦