CVE-2026-31721

Daily digests

A race condition in the Linux kernel's USB gadget HID function driver lets a local attacker trigger use-after-free memory corruption. Because the list and spinlock weren't initialized early enough, an attacker with local access could escalate privileges or crash the system. Exploitation requires local access to a system using USB gadget mode, which limits the blast radius.

• Daily Digest · May 19, 2026

  Apache Thrift 9.4 RCE + 4 Linux/Go/curl fixes