CVE-2026-31616

MEDIUM EPSS 2.6%
Published Apr 24, 20262mo ago · Modified Jun 17, 20262w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Apr 24, 2026 2mo ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete() A broken/bored/mean USB host can overflow the skb_shared_info->frags[] array on a Linux gadget exposing a Phonet function by sending an unbounded sequence of full-page OUT transfers. pn_rx_complete() finalizes the skb only when req->actual < req->length, where req->length is set to PAGE_SIZE by the gadget. If the host always sends exactly PAGE_SIZE bytes per transfer, fp->rx.skb will never be reset and each completion will add another fragment via skb_add_rx_frag(). Once nr_frags exceeds MAX_SKB_FRAGS (default 17), subsequent frag stores overwrite memory adjacent to the shinfo on the heap. Drop the skb and account a length error when the frag limit is reached, matching the fix applied in t7xx by commit f0813bcd2d9d ("net: wwan: t7xx: fix potential skb->frags overflow in RX path").

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
2.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-401

Affected Products 5

VendorProductVersionRange
linuxlinux_kernel*≥2.6.32  –  <6.6.136
linuxlinux_kernel*≥6.7  –  <6.12.83
linuxlinux_kernel*≥6.13  –  <6.18.24
linuxlinux_kernel*≥6.19  –  <6.19.14
linuxlinux_kernel*≥7.0  –  <7.0.1

References 9

  • git.kernel.org https://git.kernel.org/stable/c/3d7f7e0c842242878c24b2facff8d6eda23ee1e9
  • git.kernel.org https://git.kernel.org/stable/c/4e476c25bfcab0535ba7c76a903ae77ca8747711
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/66f7471c4042e4eb300e30b5b9d87d1406862673
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7424f0287da73d3d8c5fa5e9d25d26fce762708e
  • git.kernel.org https://git.kernel.org/stable/c/9ceff1251904901b0b4e5fe6350fcaffa368ce83
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b5ec49fa198bd08967a3102bd41f53ccadce72c9
  • git.kernel.org https://git.kernel.org/stable/c/bd44ce09b9b569f49ed13e2d87d23d853fc7d6a7
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c088d5dd2fffb4de1fb8e7f57751c8b82942180a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c9315ce9da3632c591666a29de82d3e92d46bec1
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/4e476c25bfcab0535ba7c76a903ae77ca8747711
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/66f7471c4042e4eb300e30b5b9d87d1406862673
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9ceff1251904901b0b4e5fe6350fcaffa368ce83
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/bd44ce09b9b569f49ed13e2d87d23d853fc7d6a7
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c088d5dd2fffb4de1fb8e7f57751c8b82942180a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c9315ce9da3632c591666a29de82d3e92d46bec1
    Patch