Skip to main content

Linux Kernel CVE-2026-31607

| EUVDEUVD-2026-25500 CRITICAL
Out-of-bounds Write (CWE-787)
2026-04-24 Linux GHSA-fcfj-3h7q-75mq
9.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative
Red Hat
7.3 HIGH
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 28, 2026 - 15:22 vuln.today
cvss_changed
Patch released
Apr 28, 2026 - 15:11 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 15:34 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
9.8 (CRITICAL)
Patch available
Apr 24, 2026 - 16:16 EUVD
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25500
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:42 nvd
CRITICAL 9.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

usbip: validate number_of_packets in usbip_pack_ret_submit()

When a USB/IP client receives a RET_SUBMIT response, usbip_pack_ret_submit() unconditionally overwrites urb->number_of_packets from the network PDU. This value is subsequently used as the loop bound in usbip_recv_iso() and usbip_pad_iso() to iterate over urb->iso_frame_desc[], a flexible array whose size was fixed at URB allocation time based on the *original* number_of_packets from the CMD_SUBMIT.

A malicious USB/IP server can set number_of_packets in the response to a value larger than what was originally submitted, causing a heap out-of-bounds write when usbip_recv_iso() writes to urb->iso_frame_desc[i] beyond the allocated region.

KASAN confirmed this with kernel 7.0.0-rc5:

BUG: KASAN: slab-out-of-bounds in usbip_recv_iso+0x46a/0x640 Write of size 4 at addr ffff888106351d40 by task vhci_rx/69

The buggy address is located 0 bytes to the right of allocated 320-byte region [ffff888106351c00, ffff888106351d40)

The server side (stub_rx.c) and gadget side (vudc_rx.c) already validate number_of_packets in the CMD_SUBMIT path since commits c6688ef9f297 ("usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input") and b78d830f0049 ("usbip: fix vudc_rx: harden CMD_SUBMIT path to handle malicious input"). The server side validates against USBIP_MAX_ISO_PACKETS because no URB exists yet at that point. On the client side we have the original URB, so we can use the tighter bound: the response must not exceed the original number_of_packets.

This mirrors the existing validation of actual_length against transfer_buffer_length in usbip_recv_xbuff(), which checks the response value against the original allocation size.

Kelvin Mbogo's series ("usb: usbip: fix integer overflow in usbip_recv_iso()", v2) hardens the receive-side functions themselves; this patch complements that work by catching the bad value at its source -- in usbip_pack_ret_submit() before the overwrite -- and using the tighter per-URB allocation bound rather than the global USBIP_MAX_ISO_PACKETS limit.

Fix this by checking rpdu->number_of_packets against urb->number_of_packets in usbip_pack_ret_submit() before the overwrite. On violation, clamp to zero so that usbip_recv_iso() and usbip_pad_iso() safely return early.

AnalysisAI

Heap buffer overflow in Linux kernel USB/IP client allows malicious USB/IP servers to execute arbitrary code with kernel privileges via crafted RET_SUBMIT responses. A rogue server can specify a larger number_of_packets value than originally submitted, causing out-of-bounds writes when processing isochronous USB transfers. Patched in kernel versions 6.12.83, 6.18.24, 6.19.14, and 7.0.1. EPSS score of 0.02% (5th percentile) suggests low probability of widespread exploitation despite CVSS 9.8 criticality, indicating this is primarily a risk in environments using USB/IP with untrusted servers rather than a general internet-facing threat.

Technical ContextAI

USB/IP is a kernel subsystem that allows USB devices to be shared over IP networks by virtualizing the USB protocol stack. The vulnerability exists in the client-side RET_SUBMIT response handler (usbip_pack_ret_submit() in drivers/usb/usbip/). When processing isochronous USB transfers, the kernel allocates a URB (USB Request Block) with a flexible array member iso_frame_desc[] sized based on the number_of_packets field from the original CMD_SUBMIT request. The vulnerable code unconditionally overwrites urb->number_of_packets with the server-supplied value from the network PDU without validation. Subsequent functions usbip_recv_iso() and usbip_pad_iso() use this attacker-controlled value as a loop bound to index into iso_frame_desc[], creating a classic heap buffer overflow condition. This is a CWE-787 (Out-of-bounds Write) vulnerability, though the CWE field is not populated in the CVE record. The Linux kernel CPE strings indicate this affects the core kernel module rather than a specific distribution.

RemediationAI

Upgrade to patched Linux kernel versions: 6.12.83 or later for 6.12.x series, 6.18.24 or later for 6.18.x series, 6.19.14 or later for 6.19.x series, or 7.0.1 or later for 7.x series. Upstream git commits available at https://git.kernel.org/stable/c/ef8ebb1c637b4cfb61a9dd2e013376774ee2033b (6.12), https://git.kernel.org/stable/c/906f16a836de13fe61f49cdce2f66f2dbd14caf4 (6.18), https://git.kernel.org/stable/c/8d155e2d1c4102f74f82a2bf9c016164bb0f7384 (6.19), and https://git.kernel.org/stable/c/5e1c4ece08ccdc197177631f111845a2c68eede3 (7.0). For systems where immediate kernel upgrade is not feasible, disable USB/IP client functionality by blacklisting the vhci-hcd kernel module (echo 'blacklist vhci-hcd' > /etc/modprobe.d/disable-usbip.conf && update-initramfs -u) - this completely removes USB/IP client capability but eliminates attack surface. If USB/IP must remain enabled, implement network-level controls to restrict USB/IP client connections only to explicitly trusted server IPs using firewall rules, and deploy USB/IP traffic over encrypted tunnels (VPN/SSH port forwarding) to prevent man-in-the-middle attacks. Note that disabling the module prevents all USB/IP client usage; there is no granular per-server configuration mitigation. Organizations using USB/IP in production should audit which systems have vhci-hcd loaded (lsmod | grep vhci) and review trust relationships with connected servers.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31607 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy