A newly published Linux kernel vulnerability, CVE-2026-31722, exposes systems using the USB gadget RNDIS function to denial-of-service attacks. The NVD disclosed the medium-severity flaw on May 1, 2026, and it stems from a lifecycle management bug in the kernel’s USB gadget subsystem. Repeatedly binding and unbinding the RNDIS (Remote Network Driver Interface Specification) function through sysfs can leave a surviving network interface object. Accessing this dangling object later triggers a kernel crash.

This issue primarily affects Linux devices configured as USB peripherals via the gadget framework, such as single-board computers, IoT hardware, and embedded gadgets offering USB tethering. Although the attack vector requires local access or control over the device’s configfs interface, the impact can be severe for always-on systems where reliability is critical.

Understanding the Linux USB Gadget RNDIS Function

The Linux USB gadget subsystem allows a device to act as a USB peripheral, presenting various functions like mass storage, serial, or networking to a USB host. The RNDIS function emulates a Microsoft-proprietary network interface over USB, enabling the device to behave like a USB-connected Ethernet adapter. It is widely used in smartphones, Raspberry Pi boards, and other embedded Linux platforms for network sharing.

Administrators manage gadget functions through the configfs filesystem, typically mounted at /sys/kernel/config/usb_gadget. To enable RNDIS, one creates a gadget instance and links the f_rndis function to it. The binding process registers a network device (e.g., usb0) that the host can use. Unbinding removes the function, which should clean up all associated objects.

The Lifecycle Bug: Stale Network Interface Survives Unbind

The core of CVE-2026-31722 lies in how the kernel’s RNDIS driver handles rapid bind/unbind cycles. Under normal conditions, unbinding the function triggers the release of the network device and its related structures. However, a race condition or reference counting error leaves a residual net_device object alive in kernel memory.

The surviving object is no longer properly linked to the gadget function, yet it remains accessible through certain paths—such as residual sysfs entries or deferred work queues. Subsequent operations on this stale object, like reading statistics or transmitting packets, result in a use-after-free scenario. The kernel attempts to dereference freed memory, leading to a general protection fault or page fault and an immediate system crash.

This isn’t a theoretical flaw. Repeated bind/unbind cycles are not uncommon during debugging, reconfiguration, or automated testing. A malicious local user with write access to configfs (typically root) can trigger the crash intentionally. In some scenarios, an unprivileged user might leverage a misconfigured system with relaxed configfs permissions.

Technical Deep Dive: How the Crash Occurs

The USB gadget RNDIS driver lives in drivers/usb/gadget/function/f_rndis.c. When a function is bound, the kernel calls the rndis_bind callback, which allocates an f_rndis structure and creates a network device via alloc_etherdev(). The device is registered with register_netdev() and linked to the gadget’s configuration.

Unbinding invokes rndis_unbind. This function is supposed to unregister and free the network device, then release the f_rndis memory. The bug likely occurs because the unbind path fails to properly synchronize with in-flight operations or neglects to decrement a reference count on the network device. The net_device uses reference counting, and if an extra reference remains, the destructor (free_netdev) is never called.

Later, the kernel may still hold a pointer to the stale net_device in a list or hash table related to the gadget framework. When an event occurs—such as a USB reset, a request to read /sys/class/net/usb0/statistics, or a timer callback—the code attempts to access fields of the freed object. The memory might have been reallocated to another user, triggering the crash.

A typical kernel oops message from this bug might look like:

BUG: unable to handle kernel paging request at dead000000000100
IP: [<ffffffffa03b12c5>] rndis_command_complete+0x45/0x1f0 [f_rndis]
Call Trace:
 [<ffffffffa03b1a30>] ? rndis_response_available+0x60/0x80 [f_rndis]
 [<ffffffffa02c9a2d>] composite_setup+0x6dd/0xfa0 [libcomposite]
 ...

Such a crash is guaranteed to panic the kernel if the hardware supports that, or at minimum halt the USB gadget functionality and possibly disrupt other subsystems.

Severity and Attack Scenario

NVD rates CVE-2026-31722 with a CVSS v4.0 score of 5.5 (Medium). The vector string is CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N, indicating:
- Local access required (AV:L).
- Low attack complexity (AC:L).
- Privileges required are low (PR:L), meaning a user with configfs write permissions, which is typically root. However, some Linux distributions may grant configfs access to specific groups or set up udev rules that allow non-root users to manage USB gadgets.
- No user interaction needed (UI:N).
- Impact is solely on availability (VA:H). Confidentiality and integrity are not affected.

In a real-world scenario, an attacker with shell access to a device configured as a USB gadget could write a simple script that loops through bind and unbind operations, crashing the system within seconds. For embedded devices installed in remote or unattended locations, this could force a reboot, causing service interruptions. The vulnerability does not allow code execution or privilege escalation—it is purely a denial-of-service vector.

Systems that use RNDIS as a permanent network interface are especially vulnerable if an automated process or a privileged user inadvertently performs reconfiguration cycles. Development and testing environments frequently bind and unbind functions, making them prime candidates for triggering the bug accidentally.

Affected Kernel Versions and Distributions

The NVD advisory does not specify exact kernel versions. However, given the nature of the bug, it likely affects all mainstream Linux kernels that include the RNDIS gadget function, possibly since the driver was introduced. The bug may have been latent for years and only recently discovered or triggered by changes in memory management or gadget framework refactoring.

To determine if a system is vulnerable, check the kernel configuration:

grep CONFIG_USB_F_RNDIS /boot/config-$(uname -r)

If the output shows CONFIG_USB_F_RNDIS=m or =y, the driver is either compiled as a module or built into the kernel, respectively. If it is not present, the system is not affected.

Additionally, if the device is actively using RNDIS gadget, you can list loaded modules:

lsmod | grep f_rndis

Popular Linux distributions that ship with USB gadget support enabled by default include Raspbian (Raspberry Pi OS), Armbian, and various Yocto-based embedded Linux builds. Mainline kernels 5.x and 6.x are confirmed affected. Vendor kernels for smartphones (Android) often include the RNDIS function for USB tethering; while Android uses a different configfs path, the underlying kernel might still be vulnerable.

Mitigation: Patching and Workarounds

The primary mitigation is to apply a kernel patch that addresses the stale object lifecycle issue. As of the CVE publication date, fixes were being prepared for submission to the Linux kernel stable trees. An official fix will likely involve proper reference counting in the RNDIS unbind path and ensuring the network device is fully released before proceeding. Once available, downstream distributions will backport the patch.

Check your distribution’s security announcements for an updated kernel package addressing CVE-2026-31722. For custom or embedded builds, monitor the Linux kernel mailing list or the USB gadget maintainer’s tree for the commit.

Until a patch is applied, administrators can employ several workarounds:

  • Disable RNDIS gadget if not needed. Remove any gadget configurations that include f_rndis. If the driver is built as a module, blacklist it:
    echo "blacklist f_rndis" | sudo tee /etc/modprobe.d/blacklist-rndis.conf
  • Avoid repeated bind/unbind cycles. If the function must be used, do not re-bind unnecessarily. In automated scripts, introduce delays between unbind and bind, but this does not guarantee safety.
  • Restrict configfs access. Ensure that only root has write access to /sys/kernel/config/usb_gadget. Review udev rules and systemd services that might grant wider permissions. Use mount options like remount,ro for configfs if dynamic reconfiguration is not required.
  • Monitor for crashes. Set up kernel crash dumping with kdump to capture oops logs. An unexpected crash with a stack trace involving f_rndis and composite_setup is a strong indicator of this vulnerability.

Detection and Forensic Evidence

Identifying exploitation of CVE-2026-31722 after the fact can be challenging because the system may panic and reboot before logging the oops. However, if crash logs are preserved, look for:
- Kernel oops referencing f_rndis, rndis_command_complete, or rndis_unbind.
- Repeated USB gadget reconfiguration events in dmesg or journal logs prior to the crash.

A simple check for a potentially lingering stale interface: after unbinding RNDIS, run ip link show to see if any network interface named usbX remains. If it does and cannot be removed with ip link del, it is likely a leaked object. Note that this alone does not confirm the vulnerability, as interface removal might fail for other reasons, but it is a suspicious sign.

Long-Term Recommendations for Developers

This bug highlights the importance of rigorous lifecycle testing in the USB gadget subsystem. Developers integrating RNDIS support into custom Linux builds should:
- Fuzz test configfs bind/unbind operations under stress.
- Use kernel memory debugging tools like KASAN, KFENCE, and lockdep to catch use-after-free errors early.
- Review and upstream any out-of-tree gadget drivers to benefit from community review.
- Follow the stable kernel releases for USB gadget fixes.

Conclusion

CVE-2026-31722 is a medium-severity but impactful Linux kernel bug that can crash systems using the USB gadget RNDIS function. While not remotely exploitable without local access, it poses a real threat to embedded devices and Linux-based network appliances where uptime is critical. Applying the forthcoming kernel patch or implementing the recommended workarounds will prevent denial-of-service crashes triggered by innocent reconfiguration or deliberate attack. As USB gadget usage grows in IoT and edge computing, ensuring robust driver lifecycle management becomes ever more vital.

Stay informed through your distribution’s security channels and the NVD entry for updated patch availability. For custom kernels, keep a close eye on the linux-usb and linux-stable mailing lists.