Skip to main content

Linux Kernel CVE-2026-31616

| EUVDEUVD-2026-25509 MEDIUM
Memory Leak (CWE-401)
2026-04-24 Linux GHSA-h96r-xqwg-w67w
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
Apr 28, 2026 - 17:22 vuln.today
CVSS changed
Apr 28, 2026 - 17:22 NVD
5.5 (MEDIUM)
Patch released
Apr 28, 2026 - 17:21 nvd
Patch available
Patch available
Apr 24, 2026 - 16:16 EUVD
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25509
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:42 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()

A broken/bored/mean USB host can overflow the skb_shared_info->frags[] array on a Linux gadget exposing a Phonet function by sending an unbounded sequence of full-page OUT transfers.

pn_rx_complete() finalizes the skb only when req->actual < req->length, where req->length is set to PAGE_SIZE by the gadget. If the host always sends exactly PAGE_SIZE bytes per transfer, fp->rx.skb will never be reset and each completion will add another fragment via skb_add_rx_frag(). Once nr_frags exceeds MAX_SKB_FRAGS (default 17), subsequent frag stores overwrite memory adjacent to the shinfo on the heap.

Drop the skb and account a length error when the frag limit is reached, matching the fix applied in t7xx by commit f0813bcd2d9d ("net: wwan: t7xx: fix potential skb->frags overflow in RX path").

AnalysisAI

Memory corruption via skb fragment array overflow in the USB Phonet gadget driver allows local attackers with device-level USB host capabilities to cause denial of service. The vulnerability exists in pn_rx_complete() which fails to enforce the MAX_SKB_FRAGS limit when processing unbounded full-page OUT transfers, causing heap memory corruption adjacent to the skb_shared_info structure. A malicious or misconfigured USB host sending continuous PAGE_SIZE byte transfers triggers the flaw in gadgets exposing the Phonet function, confirmed fixed in Linux 6.12.83, 6.18.24, 6.19.14, and 7.0.1.

Technical ContextAI

The Linux kernel USB gadget subsystem provides a Phonet function (f_phonet) that processes incoming USB transfers via the pn_rx_complete() callback handler. The vulnerability resides in the receive path where skb_add_rx_frag() accumulates fragments from consecutive full-page OUT transfers without validating the fragment count against MAX_SKB_FRAGS (default value 17, defined in include/linux/skbuff.h). The skb_shared_info structure stores fragments in a frags[] array sized for MAX_SKB_FRAGS entries; exceeding this limit via unbounded skb_add_rx_frag() calls causes writes beyond allocated bounds on the heap. The root cause (CWE-401: Missing Release of Memory after Effective Lifetime) stems from improper cleanup logic: pn_rx_complete() only finalizes (releases) the skb when req->actual < req->length, but when a USB host deliberately sends exactly PAGE_SIZE bytes per transfer (matching req->length), the skb is never reset between completions, allowing fragments to accumulate indefinitely.

RemediationAI

Vendor-released patches are available in stable kernel versions 6.12.83, 6.18.24, 6.19.14, and 7.0.1. Immediately upgrade to one of these patched versions or the latest stable branch. The upstream fix (referenced at https://git.kernel.org/stable/c/c088d5dd2fffb4de1fb8e7f57751c8b82942180a and confirmed by https://git.kernel.org/stable/c/9ceff1251904901b0b4e5fe6350fcaffa368ce83) implements bounds checking on the skb fragment count in pn_rx_complete(), dropping the skb and logging a length error when MAX_SKB_FRAGS is exceeded. For organizations unable to patch immediately, disable the USB Phonet gadget function by setting CONFIG_USB_PHONET=n at kernel build time or removing the phonet.ko module on deployed systems-this eliminates the attack surface entirely with no functional impact unless Phonet over USB is actively used. Alternatively, restrict USB device access via Physical Device Access Controls (PDOs) or SELinux policies limiting ioctl access to /sys/bus/usb/devices/ and the gadget configuration interface; however, this is less reliable than patching. Test patches thoroughly in non-production gadget environments before deployment, as USB gadget code changes carry inherent stability risks.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31616 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy