VDB
DEBIAN-CVE-2026-31606
DEBIAN-CVE-2026-31606
PUBLISHED
CVSS 5.5 MEDIUM
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_hid: don't call cdev_init while cdev in use When calling unbind, then bind again, cdev_init reinitialized the cdev, even though there may still be references to it. That's the case when the /dev/hidg* device is still opened. This obviously unsafe behavior like oopes. This fixes this by using cdev_alloc to put the cdev on the heap. That way, we can simply allocate a new one in hidg_bind.
Risk Scores
CVSS v3.1
5.5
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:12 | linux | 6.17.10-1, 6.1.164-1, 6.1.27-1 |
| Debian:13 | linux | 6.12.57-1, 6.12.63-1, 6.12.63-1 |
| Debian:14 | linux | 6.19.13-1~bpo13+1, 6.19.14-1, 6.19.2-1~exp1 |
| Debian:11 | linux | 6.4.1-1, 6.4.11-1, 6.4.13-1 |
Timeline
- Apr 24, 2026 CVE Published
- May 1, 2026 CVE Updated