The Linux kernel project has issued a fix for a medium-severity vulnerability, tracked as CVE-2026-31721, that could allow a local attacker to corrupt kernel memory and potentially escalate privileges on systems using the USB gadget HID function. The flaw, published on May 1, 2026, stems from a lifetime management bug in the usb_f_hid gadget driver when handling bind and unbind operations in conjunction with epoll event polling.

The vulnerability affects all Linux kernel versions that include the HID gadget driver, which is commonly used in development boards, IoT devices, and systems configured as USB peripherals via the USB gadget subsystem. Notably, Windows users running Windows Subsystem for Linux 2 (WSL2) are also exposed, as WSL2 relies on a custom Linux kernel that bundles the same USB gadget framework.

Understanding the USB Gadget HID Vulnerability

The USB gadget subsystem allows a Linux-based device to act as a USB peripheral, emulating various device classes such as Ethernet adapters, mass storage, or human interface devices (HID). The HID function (f_hid) is particularly popular for creating custom keyboards, mice, or game controllers. When a gadget configuration is bound to a USB device controller, the kernel creates corresponding character or event devices that userspace can interact with.

Applications often use the epoll API to monitor these gadget file descriptors for events like data availability or disconnect. The vulnerability arises when a user repeatedly unbinds and rebinds the gadget configuration while an epoll_wait() call is pending or has returned events. During the unbind operation, the kernel frees internal structures associated with the gadget, but if an epoll instance still holds a reference to a freed wait queue entry, a use-after-free or list corruption occurs. This can corrupt the kernel’s internal linked lists, leading to crashes or arbitrary memory access.

Technical Breakdown of the Race Condition

At the core of CVE-2026-31721 lies a classic race between gadget teardown and event-polling cleanup. When a gadget configuration is unbound, the function driver’s unbind callback is invoked. For f_hid, this callback destroys the device nodes and frees the f_hidg structure. However, if an epoll instance has previously registered interest in those nodes via EPOLL_CTL_ADD, the epoll subsystem retains a reference to the eventpoll structure, which in turn references the now-freed gadget data. A subsequent rebind creates new gadget structures at possibly the same memory locations, but the stale epoll references cause list corruption when the kernel tries to deliver events to a freed object.

This is a typical "lifetime bug" scenario: the HID gadget driver does not ensure that all external references are dropped before freeing memory. The root cause was traced to a missing synchronization between the f_hidg_release operation (when userspace closes the file descriptor) and the unbind callback. The fix introduces proper reference counting and a completion mechanism to guarantee that all epoll references are cleared before the gadget structure is deallocated.

Impact and Exploitability

CVE-2026-31721 has been rated medium severity (CVSS score around 5.5–6.8 depending on the scoring vector) because exploitation requires local access to the system with the ability to trigger bind/unbind operations on a USB gadget. In default configurations on most distributions, only root or users in the usb group can manage gadget configurations, limiting the attack surface. However, on systems where unprivileged users are granted these permissions—common in development and embedded environments—the flaw becomes a local privilege escalation (LPE) vector.

An attacker could craft a sequential set of USB gadget configuration changes while monitoring the gadget’s epoll file descriptor, causing the kernel to write to uninitialized memory or manipulate kernel-linked lists. Successful exploitation could lead to:

  • Denial of Service (DoS): Crashing the kernel via a null pointer dereference or corrupted list traversal.
  • Information Leak: Reading kernel memory leftovers from freed slabs.
  • Arbitrary Code Execution: Gaining kernel code execution by overwriting function pointers or manipulating the task’s credentials through a kernel write-what-where primitive.

While no public exploit code has been observed at the time of the advisory, security researchers warn that creating a reliable exploit is feasible given the deterministic nature of the race window.

WSL2: A Hidden Exposure for Windows Users

Windows Subsystem for Linux 2 runs a full Linux kernel inside a lightweight virtual machine. This kernel is maintained by Microsoft and includes the USB gadget subsystem, though USB gadget support is not typically enabled in default WSL2 configurations. However, advanced users and developers who manually compile custom WSL2 kernels with USB gadget support—for testing embedded devices or using Linux as a USB peripheral in conjunction with USB passthrough—are directly affected.

Microsoft has already integrated the fix into its WSL2 kernel update released on May 3, 2026. Windows Insiders and users who keep their WSL instances updated via wsl --update or the Microsoft Store will receive the patched kernel automatically. For manually configured kernels, users need to rebuild their WSL2 kernel with the latest long-term support (LTS) or stable kernel sources that include the fix (commits available in kernel 6.1.92, 6.6.32, and newer).

The Fix: Proper Lifetime Management in f_hid

The kernel patch, authored by a Google Chrome OS developer, introduces a struct completion to synchronize the release of the gadget file descriptor with the unbind callback. When the gadget is unbound, the driver now waits for all running epoll instances to acknowledge the file close before freeing the f_hidg structure. Additionally, the epoll notification mechanism is updated to check a validity flag before accessing the gadget data, preventing use-after-free even if a late event is delivered.

Key changes in the patch include:

  • Adding a refcount field to f_hidg to track active epoll references.
  • Implementing a wait_for_completion() call in hidg_unbind() to block until all releases complete.
  • Setting a DEAD flag in the gadget structure after unbind to short-circuit any stale epoll callbacks.

This fix cleans up a long-standing oversight in the HID gadget driver, which had remained otherwise stable since its introduction in 2012. The patch has been backported to all supported stable kernels, and distributions are rolling out updates via their standard security channels.

Windows-Specific Implications and Mitigations

For the vast majority of Windows users, CVE-2026-31721 poses no direct risk, as Windows does not use the Linux USB gadget framework natively. However, the growing integration of Linux in Windows—through WSL2, Azure-hosted VMs, and cross-platform development tools—means that Linux kernel vulnerabilities can indirectly affect Windows environments. Microsoft’s rapid response in updating the WSL2 kernel highlights the importance of treating WSL as a critical component of the Windows security posture.

Windows users should:

  1. Update WSL2 immediately: Run wsl.exe --update from PowerShell or Command Prompt to fetch the latest kernel.
  2. Verify kernel version: Inside WSL, run uname -r to ensure the kernel is 5.15.154+ (or 6.1.92+ if using the new WSL2 kernel with USB support).
  3. Limit USB gadget access: If using custom kernels with USB gadget enabled, ensure only trusted users can call echo "" > /config/usb_gadget/g1/UDC to bind/unbind.
  4. Monitor security advisories: Subscribe to the WSL GitHub repository and Microsoft Security Response Center (MSRC) for future alerts.

Broader Lessons for Kernel Security

CVE-2026-31721 serves as a reminder that even relatively obscure kernel components can harbor exploitable bugs. The USB gadget subsystem is often less scrutinized than mainstream drivers, yet it is increasingly used in IoT, automotive, and cloud-connected devices. The epoll interaction underscores a broader class of vulnerabilities where asynchronous I/O mechanisms and object teardown must be meticulously synchronized.

For Windows users, the incident demonstrates the value of Microsoft’s commitment to rapid kernel patching for WSL. It also highlights the security benefits of the hypervisor-based isolation in WSL2—even if an attacker exploits a kernel bug inside WSL, the impact is contained to the Linux VM and does not directly compromise the host Windows OS. However, lateral movement via shared filesystems or network interfaces could still be possible, so timely patching remains essential.

Conclusion

The Linux USB HID gadget vulnerability CVE-2026-31721 is a textbook lifetime bug with real-world implications for developers and WSL2 power users. Thanks to swift vendor coordination, fixes are already available for all major kernels and distributions. Windows enthusiasts leveraging WSL2 for cross-platform development should ensure their Linux kernels are up to date. As Linux continues to integrate more deeply into the Windows ecosystem, such cross-platform security vigilance will become increasingly important.