Skip to main content

Linux Kernel CVE-2026-31623

| EUVDEUVD-2026-25516 MEDIUM
Classic Buffer Overflow (CWE-120)
2026-04-24 Linux GHSA-76f4-xjp9-xcxc
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
Apr 28, 2026 - 14:22 vuln.today
CVSS changed
Apr 28, 2026 - 14:22 NVD
5.5 (MEDIUM)
Patch released
Apr 28, 2026 - 14:17 nvd
Patch available
Patch available
Apr 24, 2026 - 16:16 EUVD
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25516
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:42 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()

A malicious USB device claiming to be a CDC Phonet modem can overflow the skb_shared_info->frags[] array by sending an unbounded sequence of full-page bulk transfers.

Drop the skb and increment the length error when the frag limit is reached. This matches the same fix that commit f0813bcd2d9d ("net: wwan: t7xx: fix potential skb->frags overflow in RX path") did for the t7xx driver.

AnalysisAI

Denial of service via skb_shared_info->frags[] buffer overflow in the CDC Phonet USB driver allows local attackers with USB device access to crash the kernel by sending unbounded sequences of full-page bulk transfers. A malicious or compromised USB modem device can trigger this overflow without authentication or user interaction. The vulnerability has a low EPSS score (0.02%) despite moderate CVSS (5.5), indicating exploitation requires specific local USB hardware control.

Technical ContextAI

The Linux kernel's CDC Phonet USB driver (net/usb/cdc-phonet.c) handles incoming USB bulk transfers via the rx_complete() callback function. These transfers are assembled into socket buffers (SKBs) with packet fragments stored in skb_shared_info->frags[], an array with a fixed maximum capacity. The vulnerability exists because the driver does not validate the number of fragments before adding new ones, allowing a malicious USB device to exceed the array bounds and trigger a buffer overflow. The CWE-120 (Buffer Copy without Checking Size of Input) classification reflects the missing bounds check on fragment accumulation. This is analogous to a prior fix in the t7xx WWAN driver (commit f0813bcd2d9d), indicating a pattern of this vulnerability across USB network drivers.

RemediationAI

Upgrade to a patched Linux kernel version: 6.12.83, 6.19.14, 7.0.1, or 6.18.24 or later, or apply the upstream fix commit (git.kernel.org/stable/ references provided). Distributions will backport this fix into their stable branches; check your distribution's security advisories for specific kernel package versions (e.g., linux-image-generic for Ubuntu, kernel for RHEL, linux for Arch). For systems unable to patch immediately, mitigate by disabling or physically removing untrusted USB ports using BIOS/firmware settings, enforcing usb-storage blacklist via modprobe (modprobe -b usb_storage), or using USB port ACLs if available in your kernel configuration. Note that blacklisting USB storage does not prevent CDC Phonet modem devices; full USB port restriction or physical disconnection is required for complete mitigation. These compensating controls have trade-offs: disabling USB ports reduces hardware flexibility; modprobe blacklisting affects only storage devices, not network USB devices. Patching is strongly recommended as the definitive fix.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31623 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy