CVE Catalog

CVE-2026-31755

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.12%

2th percentile - higher than 2% of all known CVEs

Summary

In the Linux kernel, a NULL pointer dereference vulnerability was found in the USB cdns3 gadget driver's ep_queue function. When the endpoint is disabled or not configured, the ep->desc pointer can be NULL, causing a kernel crash when __cdns3_gadget_ep_queue() is called.

Risk Assessment

An attacker can trigger a kernel crash (DoS) by sending a request to an improperly configured USB endpoint, leading to denial of service.

Recommendation

Immediately update the Linux kernel to a version containing the fix (commit adding a check for ep->desc and returning -ESHUTDOWN).

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: gadget: fix NULL pointer dereference in ep_queue When the gadget endpoint is disabled or not yet configured, the ep->desc pointer can be NULL. This leads to a NULL pointer dereference when __cdns3_gadget_ep_queue() is called, causing a kernel crash. Add a check to return -ESHUTDOWN if ep->desc is NULL, which is the standard return code for unconfigured endpoints. This prevents potential crashes when ep_queue is called on endpoints that are not ready.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS