CVE-2026-31412

MEDIUM EPSS 6.6%
Published Apr 10, 20262mo ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Apr 10, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks() The `check_command_size_in_blocks()` function calculates the data size in bytes by left shifting `common->data_size_from_cmnd` by the block size (`common->curlun->blkbits`). However, it does not validate whether this shift operation will cause an integer overflow. Initially, the block size is set up in `fsg_lun_open()` , and the `common->data_size_from_cmnd` is set up in `do_scsi_command()`. During initialization, there is no integer overflow check for the interaction between two variables. So if a malicious USB host sends a SCSI READ or WRITE command requesting a large amount of data (`common->data_size_from_cmnd`), the left shift operation can wrap around. This results in a truncated data size, which can bypass boundary checks and potentially lead to memory corruption or out-of-bounds accesses. Fix this by using the check_shl_overflow() macro to safely perform the shift and catch any overflows.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
6.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-190 Integer Overflow or Wraparound Numeric Error

Affected Products 9

VendorProductVersionRange
linuxlinux_kernel*≥3.3  –  <6.1.167
linuxlinux_kernel*≥6.2  –  <6.6.130
linuxlinux_kernel*≥6.7  –  <6.12.78
linuxlinux_kernel*≥6.13  –  <6.18.19
linuxlinux_kernel*≥6.19  –  <6.19.9
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any

References 6

  • git.kernel.org https://git.kernel.org/stable/c/228b37936376143f4b60cc6828663f6eaceb81b5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3428dc5520c811e66622b2f5fa43341bf9a1f8b3
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/387ebb0453b99d71491419a5dc4ab4bee0cacbac
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8479891d1f04a8ce55366fe4ca361ccdb96f02e1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/91817ad5452defe69bc7bc0e355f0ed5d01125cc
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ce0caaed5940162780c5c223b8ae54968a5f059b
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/228b37936376143f4b60cc6828663f6eaceb81b5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3428dc5520c811e66622b2f5fa43341bf9a1f8b3
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/387ebb0453b99d71491419a5dc4ab4bee0cacbac
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8479891d1f04a8ce55366fe4ca361ccdb96f02e1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/91817ad5452defe69bc7bc0e355f0ed5d01125cc
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ce0caaed5940162780c5c223b8ae54968a5f059b
    Patch