Skip to main content

Linux Kernel EUVDEUVD-2026-25510

| CVE-2026-31617 MEDIUM
Integer Underflow (CWE-191)
2026-04-24 Linux GHSA-v24g-wpq8-cwqx
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
Apr 28, 2026 - 17:37 vuln.today
CVSS changed
Apr 28, 2026 - 17:37 NVD
5.5 (MEDIUM)
Patch released
Apr 28, 2026 - 17:27 nvd
Patch available
Patch available
Apr 24, 2026 - 16:16 EUVD
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25510
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:42 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()

The block_len read from the host-supplied NTB header is checked against ntb_max but has no lower bound. When block_len is smaller than opts->ndp_size, the bounds check of: ndp_index > (block_len - opts->ndp_size) will underflow producing a huge unsigned value that ndp_index can never exceed, defeating the check entirely.

The same underflow occurs in the datagram index checks against block_len

  • opts->dpe_size. With those checks neutered, a malicious USB host can

choose ndp_index and datagram offsets that point past the actual transfer, and the skb_put_data() copies adjacent kernel memory into the network skb.

Fix this by rejecting block lengths that cannot hold at least the NTB header plus one NDP. This will make block_len - opts->ndp_size and block_len - opts->dpe_size both well-defined.

Commit 8d2b1a1ec9f5 ("CDC-NCM: avoid overflow in sanity checking") fixed a related class of issues on the host side of NCM.

AnalysisAI

Integer underflow in the Linux kernel's USB NCM gadget driver allows a malicious USB host to bypass buffer boundary checks and copy adjacent kernel memory into network packet buffers. The vulnerability exists in ncm_unwrap_ntb() where block_len values smaller than the NDP size cause unsigned integer underflow in bounds validation, enabling out-of-bounds memory read and potential information disclosure. Affected versions prior to Linux 6.12.83, 6.18.24, 6.19.14, and 7.0.1 require patching; exploitation requires local USB device attachment or administrative USB gadget configuration.

Technical ContextAI

The vulnerability occurs in the USB Communications Device Class (CDC) Network Control Model (NCM) gadget implementation within the Linux kernel. The NCM protocol defines a Network Transfer Block (NTB) header structure with configurable sizes for the Network Datagram Pointer (NDP) and datagram packet element (dpe). When the host supplies a block_len value in the NTB header, the kernel validates it against a maximum (ntb_max) but omitted a minimum bound check. The vulnerability is rooted in CWE-190 (Integer Underflow), where block_len - opts->ndp_size and block_len - opts->dpe_size computations underflow when block_len is smaller than the respective option sizes. This produces a huge unsigned integer that any legitimate ndp_index can never exceed, completely neutralizing the out-of-bounds protection. The fix (commit 8f993d30b95dc9557a8a96ceca11abed674c8acb and related commits) enforces a minimum block_len that must accommodate the NTB header plus at least one NDP entry.

RemediationAI

Apply the vendor-released patch available in Linux 6.12.83 (and later 6.19.14, 7.0.1 branches). System administrators should update to the latest stable kernel version containing commit 8757a2593631443648218244b9788e193ae0fdc1 or equivalent. For systems unable to update immediately, disable USB gadget functionality if not required, or restrict USB device attachment via physical security or kernel configuration (CONFIG_USB_GADGET and CONFIG_USB_F_NCM can be disabled at compile time). Additionally, on systems where USB gadgets are enabled, apply strict access controls to prevent unprivileged users from loading malicious gadget configurations. Monitor systems with NCM gadgets enabled for unexpected kernel memory disclosure or system crashes related to USB device enumeration. Patches for specific distributions should be obtained from their respective kernel maintainers and applied as soon as available.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-25510 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy