Vulnerability Found in the USB Gadget Linux Kernel Subsystem

A vulnerability (CVE-2021-39685) has been identified in USB Gadget, a subsystem of the Linux kernel that provides a programming interface for creating client USB devices and software simulation of USB devices. This could lead to a kernel leak, crash, or arbitrary code execution at the kernels.

The attack is carried out by an unprivileged local user, through manipulation of various device classes implemented on the basis of the USB Gadget API, such as rndis, hid, uac1, uac1_legacy, and uac2. Learn more here.