CVE-2026-31617 (GCVE-0-2026-31617)
Vulnerability from cvelistv5
Published
2026-04-24 14:42
Modified
2026-04-27 13:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()
The block_len read from the host-supplied NTB header is checked against
ntb_max but has no lower bound. When block_len is smaller than
opts->ndp_size, the bounds check of:
ndp_index > (block_len - opts->ndp_size)
will underflow producing a huge unsigned value that ndp_index can never
exceed, defeating the check entirely.
The same underflow occurs in the datagram index checks against block_len
- opts->dpe_size. With those checks neutered, a malicious USB host can
choose ndp_index and datagram offsets that point past the actual
transfer, and the skb_put_data() copies adjacent kernel memory into the
network skb.
Fix this by rejecting block lengths that cannot hold at least the NTB
header plus one NDP. This will make block_len - opts->ndp_size and
block_len - opts->dpe_size both well-defined.
Commit 8d2b1a1ec9f5 ("CDC-NCM: avoid overflow in sanity checking") fixed
a related class of issues on the host side of NCM.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 2b74b0a04d3e9f9f08ff026e5663dce88ff94e52 Version: 2b74b0a04d3e9f9f08ff026e5663dce88ff94e52 Version: 2b74b0a04d3e9f9f08ff026e5663dce88ff94e52 Version: 2b74b0a04d3e9f9f08ff026e5663dce88ff94e52 Version: 2b74b0a04d3e9f9f08ff026e5663dce88ff94e52 Version: 2b74b0a04d3e9f9f08ff026e5663dce88ff94e52 Version: f7e0611e207d8908c4f2858e244370529a76dbf7 Version: b88ad6e714284b33a47834f5f2a294c2b37c66aa Version: 471b23586387a32857778c511be60ab31c98dcfd Version: 4f529c4d1e436230d3af7c09a3239677a14d2b46 Version: ae6a5394d9fbe118bc95cfe376d6a9d91d7547e8 |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_ncm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0f156bb5334e588034ca68ac2ee92b23f66e56e7",
"status": "affected",
"version": "2b74b0a04d3e9f9f08ff026e5663dce88ff94e52",
"versionType": "git"
},
{
"lessThan": "8757a2593631443648218244b9788e193ae0fdc1",
"status": "affected",
"version": "2b74b0a04d3e9f9f08ff026e5663dce88ff94e52",
"versionType": "git"
},
{
"lessThan": "6762f8a95772265dd0c2ffe7f400493f3115b135",
"status": "affected",
"version": "2b74b0a04d3e9f9f08ff026e5663dce88ff94e52",
"versionType": "git"
},
{
"lessThan": "d58ba8f6546232f8414f396c189297dbee03f1a7",
"status": "affected",
"version": "2b74b0a04d3e9f9f08ff026e5663dce88ff94e52",
"versionType": "git"
},
{
"lessThan": "74908b0318d1df1188457040b8714ff4d4b68126",
"status": "affected",
"version": "2b74b0a04d3e9f9f08ff026e5663dce88ff94e52",
"versionType": "git"
},
{
"lessThan": "8f993d30b95dc9557a8a96ceca11abed674c8acb",
"status": "affected",
"version": "2b74b0a04d3e9f9f08ff026e5663dce88ff94e52",
"versionType": "git"
},
{
"status": "affected",
"version": "f7e0611e207d8908c4f2858e244370529a76dbf7",
"versionType": "git"
},
{
"status": "affected",
"version": "b88ad6e714284b33a47834f5f2a294c2b37c66aa",
"versionType": "git"
},
{
"status": "affected",
"version": "471b23586387a32857778c511be60ab31c98dcfd",
"versionType": "git"
},
{
"status": "affected",
"version": "4f529c4d1e436230d3af7c09a3239677a14d2b46",
"versionType": "git"
},
{
"status": "affected",
"version": "ae6a5394d9fbe118bc95cfe376d6a9d91d7547e8",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/usb/gadget/function/f_ncm.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.9"
},
{
"lessThan": "5.9",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.136",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.83",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.24",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.14",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.136",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.83",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.24",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.14",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.1",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1-rc1",
"versionStartIncluding": "5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.235",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.196",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.143",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.62",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.8.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()\n\nThe block_len read from the host-supplied NTB header is checked against\nntb_max but has no lower bound. When block_len is smaller than\nopts-\u003endp_size, the bounds check of:\n\tndp_index \u003e (block_len - opts-\u003endp_size)\nwill underflow producing a huge unsigned value that ndp_index can never\nexceed, defeating the check entirely.\n\nThe same underflow occurs in the datagram index checks against block_len\n- opts-\u003edpe_size. With those checks neutered, a malicious USB host can\nchoose ndp_index and datagram offsets that point past the actual\ntransfer, and the skb_put_data() copies adjacent kernel memory into the\nnetwork skb.\n\nFix this by rejecting block lengths that cannot hold at least the NTB\nheader plus one NDP. This will make block_len - opts-\u003endp_size and\nblock_len - opts-\u003edpe_size both well-defined.\n\nCommit 8d2b1a1ec9f5 (\"CDC-NCM: avoid overflow in sanity checking\") fixed\na related class of issues on the host side of NCM."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T13:56:57.661Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0f156bb5334e588034ca68ac2ee92b23f66e56e7"
},
{
"url": "https://git.kernel.org/stable/c/8757a2593631443648218244b9788e193ae0fdc1"
},
{
"url": "https://git.kernel.org/stable/c/6762f8a95772265dd0c2ffe7f400493f3115b135"
},
{
"url": "https://git.kernel.org/stable/c/d58ba8f6546232f8414f396c189297dbee03f1a7"
},
{
"url": "https://git.kernel.org/stable/c/74908b0318d1df1188457040b8714ff4d4b68126"
},
{
"url": "https://git.kernel.org/stable/c/8f993d30b95dc9557a8a96ceca11abed674c8acb"
}
],
"title": "usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-31617",
"datePublished": "2026-04-24T14:42:36.191Z",
"dateReserved": "2026-03-09T15:48:24.123Z",
"dateUpdated": "2026-04-27T13:56:57.661Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…