CVE-2026-31756 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved:

usb: dwc2: gadget: Fix spin_lock/unlock mismatch in dwc2_hsotg_udc_stop()

dwc2_gadget_exit_clock_gating() internally calls call_gadget() macro,
which expects hsotg->lock to be held since it does spin_unlock/spin_lock
around the gadget driver callback invocation.

However, dwc2_hsotg_udc_stop() calls dwc2_gadget_exit_clock_gating()
without holding the lock. This leads to:
- spin_unlock on a lock that is not held (undefined behavior)
- The lock remaining held after dwc2_gadget_exit_clock_gating() returns,
causing a deadlock when spin_lock_irqsave() is called later in the
same function.

Fix this by acquiring hsotg->lock before calling
dwc2_gadget_exit_clock_gating() and releasing it afterwards, which
satisfies the locking requirement of the call_gadget() macro.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`5cb3cb3db317c58d50b68f3ca3bb8343ea9d1acd`	affected	< e9fcca3e87463013d595c65c2189ffaa32ad3b50
`1ac826cebc2776f91569f2aa9c9c3da2375d2096`	affected	< 8ffe31acb3b77a30ae34d01719a269881569fb7f
`41732f9febdccb4f9b87c13cb915d717d68ccafd`	affected	< beab10429439e20708036a66fb0d97ffb79da6a1
`ba78c2b3254c4a458c01776612e8a573e12f8d26`	affected	< 4ed9d2dd9f29828c311db6ec4b8e0d34bfd6d6a4
`af076a41f8a28faf9ceb9dd2d88aef2c202ef39a`	affected	< 61937f686290494998236c680ce0836b8dd63a3f
`af076a41f8a28faf9ceb9dd2d88aef2c202ef39a`	affected	< 51b62286fc668c6eb74dee7624ec0beec3c5a0ed
`af076a41f8a28faf9ceb9dd2d88aef2c202ef39a`	affected	< 9bb4b5ed7f8c4f95cc556bdf042b0ba2fa13557a
`b39c203690fa1678daecc60f347e43c8b593b969`	affected	—

Linux

affected

Version	Status	Constraints
`6.16`	affected	—
`0`	unaffected	< 6.16
`5.15.203`	unaffected	≤ 5.15.*
`6.1.168`	unaffected	≤ 6.1.*
`6.6.134`	unaffected	≤ 6.6.*
`6.12.81`	unaffected	≤ 6.12.*
`6.18.22`	unaffected	≤ 6.18.*
`6.19.12`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Linux Subscribe	Linux Kernel Subscribe

Project Subscriptions

Vendors	Products
Linux Subscribe	Linux Kernel Subscribe

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://git.kernel.org/stable/c/4ed9d2dd9f29828c311db6ec4b8e0d34bfd6d6a4
https://git.kernel.org/stable/c/51b62286fc668c6eb74dee7624ec0beec3c5a0ed
https://git.kernel.org/stable/c/61937f686290494998236c680ce0836b8dd63a3f
https://git.kernel.org/stable/c/8ffe31acb3b77a30ae34d01719a269881569fb7f
https://git.kernel.org/stable/c/9bb4b5ed7f8c4f95cc556bdf042b0ba2fa13557a
https://git.kernel.org/stable/c/beab10429439e20708036a66fb0d97ffb79da6a1
https://git.kernel.org/stable/c/e9fcca3e87463013d595c65c2189ffaa32ad3b50

History

Fri, 01 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: usb: dwc2: gadget: Fix spin_lock/unlock mismatch in dwc2_hsotg_udc_stop() dwc2_gadget_exit_clock_gating() internally calls call_gadget() macro, which expects hsotg->lock to be held since it does spin_unlock/spin_lock around the gadget driver callback invocation. However, dwc2_hsotg_udc_stop() calls dwc2_gadget_exit_clock_gating() without holding the lock. This leads to: - spin_unlock on a lock that is not held (undefined behavior) - The lock remaining held after dwc2_gadget_exit_clock_gating() returns, causing a deadlock when spin_lock_irqsave() is called later in the same function. Fix this by acquiring hsotg->lock before calling dwc2_gadget_exit_clock_gating() and releasing it afterwards, which satisfies the locking requirement of the call_gadget() macro.
Title		usb: dwc2: gadget: Fix spin_lock/unlock mismatch in dwc2_hsotg_udc_stop()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/4ed9d2dd9f29828c311db6ec4b8e0d34bfd6d6a4 https://git.kernel.org/stable/c/51b62286fc668c6eb74dee7624ec0beec3c5a0ed https://git.kernel.org/stable/c/61937f686290494998236c680ce0836b8dd63a3f https://git.kernel.org/stable/c/8ffe31acb3b77a30ae34d01719a269881569fb7f https://git.kernel.org/stable/c/9bb4b5ed7f8c4f95cc556bdf042b0ba2fa13557a https://git.kernel.org/stable/c/beab10429439e20708036a66fb0d97ffb79da6a1 https://git.kernel.org/stable/c/e9fcca3e87463013d595c65c2189ffaa32ad3b50

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-01T14:14:47.000Z

Updated: 2026-05-01T14:14:47.000Z

Reserved: 2026-03-09T15:48:24.139Z

Link: CVE-2026-31756

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-01T15:16:38.580

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-31756

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-01T16:45:20Z

Weaknesses

No weakness.

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object