CVE-2026-31667

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A circular locking dependency exists in the uinput component when using a force-feedback gamepad. This issue occurs through a cycle of four lock acquisition paths involving ff->mutex, udev->mutex, input mutex, and dev->mutex. Specifically, the cycle is triggered when input ff upload() holds ff->mutex and calls uinput request send(), which acquires udev->mutex, while other paths lead from udev->mutex back to ff->mutex via input mutex and dev->mutex during device creation and release processes.

Recommendations As a temporary workaround, restrict the use of force-feedback gamepads with uinput to minimize the risk of triggering the locking dependency.