CVE-2026-31615

Summary

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: renesas_usb3: validate endpoint index in standard request handlers

The GET_STATUS and SET/CLEAR_FEATURE handlers extract the endpoint number from the host-supplied wIndex without any sort of validation. Fix this up by validating the number of endpoints actually match up with the number the device has before attempting to dereference a pointer based on this math.

This is just like what was done in commit ee0d382feb44 ("usb: gadget: aspeed_udc: validate endpoint index for ast udc") for the aspeed driver.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux746bfe63bba37ad55956b7377c9af494e7e28929 < 7caaf76207f50c77abfd788380e19b2c23a94415affected
LinuxLinux746bfe63bba37ad55956b7377c9af494e7e28929 < c4e5ae6db2328d2d9ed55d3005a36c13faab0752affected
LinuxLinux746bfe63bba37ad55956b7377c9af494e7e28929 < 360aa6e71870a175a6d86af905be2ca171639eb3affected
LinuxLinux746bfe63bba37ad55956b7377c9af494e7e28929 < 1b2bfedccc4fb8c9572e1ea464f905424c91de2aaffected
LinuxLinux746bfe63bba37ad55956b7377c9af494e7e28929 < adb8014599fdf0818d3d93f1f74e06cd0bdec08daffected
LinuxLinux746bfe63bba37ad55956b7377c9af494e7e28929 < 44216e3dd4455b798899b50eedb0ec3831dff8e0affected
LinuxLinux746bfe63bba37ad55956b7377c9af494e7e28929 < 37f430b2240655e6b0199a92aa1057e4d621be51affected
LinuxLinux746bfe63bba37ad55956b7377c9af494e7e28929 < e3d42598f2995cdc07b7779874e7c5f8a1b773dbaffected
LinuxLinux746bfe63bba37ad55956b7377c9af494e7e28929 < f880aac8a57ebd92abfa685d45424b2998ac1059affected
LinuxLinux4.5affected
LinuxLinux0 < 4.5unaffected
LinuxLinux5.10.258 <= 5.10.*unaffected
LinuxLinux5.15.209 <= 5.15.*unaffected
LinuxLinux6.1.175 <= 6.1.*unaffected
LinuxLinux6.6.136 <= 6.6.*unaffected
LinuxLinux6.12.83 <= 6.12.*unaffected
LinuxLinux6.18.24 <= 6.18.*unaffected
LinuxLinux6.19.14 <= 6.19.*unaffected
LinuxLinux7.0.1 <= 7.0.*unaffected
LinuxLinux7.1 <= *unaffected

Weaknesses

References