{"id":"CVE-2026-31722","summary":"usb: gadget: f_rndis: Fix net_device lifecycle with device_move","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_rndis: Fix net_device lifecycle with device_move\n\nThe net_device is allocated during function instance creation and\nregistered during the bind phase with the gadget device as its sysfs\nparent. When the function unbinds, the parent device is destroyed, but\nthe net_device survives, resulting in dangling sysfs symlinks:\n\n  console:/ # ls -l /sys/class/net/usb0\n  lrwxrwxrwx ... /sys/class/net/usb0 -\u003e\n  /sys/devices/platform/.../gadget.0/net/usb0\n  console:/ # ls -l /sys/devices/platform/.../gadget.0/net/usb0\n  ls: .../gadget.0/net/usb0: No such file or directory\n\nUse device_move() to reparent the net_device between the gadget device\ntree and /sys/devices/virtual across bind and unbind cycles. During the\nfinal unbind, calling device_move(NULL) moves the net_device to the\nvirtual device tree before the gadget device is destroyed. On rebinding,\ndevice_move() reparents the device back under the new gadget, ensuring\nproper sysfs topology and power management ordering.\n\nTo maintain compatibility with legacy composite drivers (e.g., multi.c),\nthe borrowed_net flag is used to indicate whether the network device is\nshared and pre-registered during the legacy driver's bind phase.","modified":"2026-07-08T07:07:19.014612002Z","published":"2026-05-01T14:14:24.156Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31722.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/18ada801899f2b13ef0ceff42427ad980a41e619"},{"type":"WEB","url":"https://git.kernel.org/stable/c/1ef251aa63972fe6c0f107f5abd139b7d0f7987a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6045ea5ca6e3fa13f8a9fafb1c535c86e124c14d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e367599529dc42578545a7f85fde517b35b3cda7"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31722.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31722"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"f466c6353819326873fa48a02c6f2d7c903240d6"},{"fixed":"1ef251aa63972fe6c0f107f5abd139b7d0f7987a"},{"fixed":"18ada801899f2b13ef0ceff42427ad980a41e619"},{"fixed":"6045ea5ca6e3fa13f8a9fafb1c535c86e124c14d"},{"fixed":"e367599529dc42578545a7f85fde517b35b3cda7"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31722.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"3.11.0"},{"fixed":"6.12.81"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.22"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.12"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31722.json"}}],"schema_version":"1.7.5"}