CVE-2026-31727
Severity CVSS v4.0:
Pending analysis
Type:
CWE-476
NULL Pointer Dereference
Publication date:
01/05/2026
Last modified:
07/05/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
usb: gadget: u_ether: Fix NULL pointer deref in eth_get_drvinfo<br />
<br />
Commit ec35c1969650 ("usb: gadget: f_ncm: Fix net_device lifecycle with<br />
device_move") reparents the gadget device to /sys/devices/virtual during<br />
unbind, clearing the gadget pointer. If the userspace tool queries on<br />
the surviving interface during this detached window, this leads to a<br />
NULL pointer dereference.<br />
<br />
Unable to handle kernel NULL pointer dereference<br />
Call trace:<br />
eth_get_drvinfo+0x50/0x90<br />
ethtool_get_drvinfo+0x5c/0x1f0<br />
__dev_ethtool+0xaec/0x1fe0<br />
dev_ethtool+0x134/0x2e0<br />
dev_ioctl+0x338/0x560<br />
<br />
Add a NULL check for dev->gadget in eth_get_drvinfo(). When detached,<br />
skip copying the fw_version and bus_info strings, which is natively<br />
handled by ethtool_get_drvinfo for empty strings.
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.12.78 (including) | 6.12.81 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.18.19 (including) | 6.18.22 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19.9 (including) | 6.19.12 (excluding) |
| cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page