Skip to main content

Linux Kernel CVE-2026-31412

| EUVDEUVD-2026-21361 MEDIUM
Integer Overflow or Wraparound (CWE-190)
2026-04-10 Linux GHSA-35q9-fp2v-jhcq
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 20, 2026 - 16:08 vuln.today
CVSS changed
May 20, 2026 - 16:07 NVD
5.5 (MEDIUM)
Patch available
Apr 16, 2026 - 05:29 EUVD
91817ad5452defe69bc7bc0e355f0ed5d01125cc,8479891d1f04a8ce55366fe4ca361ccdb96f02e1,228b37936376143f4b60cc6828663f6eaceb81b5
EUVD ID Assigned
Apr 10, 2026 - 11:00 euvd
EUVD-2026-21361
CVE Published
Apr 10, 2026 - 10:35 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks()

The check_command_size_in_blocks() function calculates the data size in bytes by left shifting common->data_size_from_cmnd by the block size (common->curlun->blkbits). However, it does not validate whether this shift operation will cause an integer overflow.

Initially, the block size is set up in fsg_lun_open() , and the common->data_size_from_cmnd is set up in do_scsi_command(). During initialization, there is no integer overflow check for the interaction between two variables.

So if a malicious USB host sends a SCSI READ or WRITE command requesting a large amount of data (common->data_size_from_cmnd), the left shift operation can wrap around. This results in a truncated data size, which can bypass boundary checks and potentially lead to memory corruption or out-of-bounds accesses.

Fix this by using the check_shl_overflow() macro to safely perform the shift and catch any overflows.

AnalysisAI

Integer overflow in the Linux kernel's USB gadget mass storage driver (f_mass_storage) allows a malicious USB host to corrupt kernel memory or trigger out-of-bounds accesses on any Linux system acting as a USB storage gadget. The flaw affects kernel versions tracing back to Linux 3.3 (commit 144974e7f9e32b53b02f6c8632be45d8f43d6ab5), with vendor-released patches now available across multiple stable branches. No public exploit has been identified at time of analysis, and EPSS exploitation probability stands at a very low 0.02%, consistent with the physical USB access prerequisite.

Technical ContextAI

The f_mass_storage driver implements the USB Mass Storage Class within the Linux kernel gadget framework, enabling a Linux system to present itself as a USB storage device to a connected host. The vulnerable function check_command_size_in_blocks() computes the total byte-length of a SCSI transfer by left-shifting common->data_size_from_cmnd by common->curlun->blkbits (the log-base-2 block size). Neither do_scsi_command(), which parses SCSI command fields into data_size_from_cmnd, nor fsg_lun_open(), which sets blkbits during LUN initialization, validates the interaction between these two values against overflow. Under CWE-190 (Integer Overflow or Wraparound), a sufficiently large data_size_from_cmnd combined with a nonzero blkbits shift causes the multiplication-equivalent to wrap around the integer boundary, producing a falsely small result that bypasses downstream size checks. The upstream fix applies the check_shl_overflow() macro to detect and abort the computation on overflow. Affected CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*.

RemediationAI

The primary remediation is to upgrade to a patched Linux kernel stable release: 6.1.167, 6.6.130, 6.12.78, 6.18.19, or 6.19.9. Upstream fix commits are available at https://git.kernel.org/stable/c/91817ad5452defe69bc7bc0e355f0ed5d01125cc, https://git.kernel.org/stable/c/ce0caaed5940162780c5c223b8ae54968a5f059b, https://git.kernel.org/stable/c/228b37936376143f4b60cc6828663f6eaceb81b5, https://git.kernel.org/stable/c/3428dc5520c811e66622b2f5fa43341bf9a1f8b3, https://git.kernel.org/stable/c/387ebb0453b99d71491419a5dc4ab4bee0cacbac, and https://git.kernel.org/stable/c/8479891d1f04a8ce55366fe4ca361ccdb96f02e1. For systems that cannot be patched immediately, the most direct compensating control is to unload or blacklist the g_mass_storage or usb_f_mass_storage kernel modules (modprobe -r usb_f_mass_storage), which fully eliminates the attack surface at the cost of disabling USB gadget mass storage functionality. If the gadget mode is operationally required, physically restricting USB port access to trusted hosts is a second-best control, though it is a physical rather than software-enforced boundary.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31412 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy