CVE-2026-31721

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description An issue exists in the USB gadget HID function where list and spinlock initializations were performed during the bind process. Specifically, queues registered via poll wait were initialized using init waitqueue head inside the hidg bind() function. This caused the bind function to re-initialize queues while they still contained items, leading to list del corruption within remove wait queue() (via ep remove wait queue) when CONFIG DEBUG LIST was enabled. This occurs during a sequence of setting up and binding an HID gadget, opening /dev/hidg0, using the file descriptor in EPOLL CTL ADD, unbinding and rebinding the UDC, and finally using the file descriptor in EPOLL CTL DEL.

Recommendations Move the initialization of lists and spinlocks from the hidg bind() function to the hidg alloc() function to ensure their lifetimes match the function instance.