CVE-2026-31755
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk2th percentile - higher than 2% of all known CVEs
Summary
In the Linux kernel, a NULL pointer dereference vulnerability was found in the USB cdns3 gadget driver's ep_queue function. When the endpoint is disabled or not configured, the ep->desc pointer can be NULL, causing a kernel crash when __cdns3_gadget_ep_queue() is called.
Risk Assessment
An attacker can trigger a kernel crash (DoS) by sending a request to an improperly configured USB endpoint, leading to denial of service.
Recommendation
Immediately update the Linux kernel to a version containing the fix (commit adding a check for ep->desc and returning -ESHUTDOWN).
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: gadget: fix NULL pointer dereference in ep_queue When the gadget endpoint is disabled or not yet configured, the ep->desc pointer can be NULL. This leads to a NULL pointer dereference when __cdns3_gadget_ep_queue() is called, causing a kernel crash. Add a check to return -ESHUTDOWN if ep->desc is NULL, which is the standard return code for unconfigured endpoints. This prevents potential crashes when ep_queue is called on endpoints that are not ready.

