CVE-2026-31617
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()
The block_len read from the host-supplied NTB header is checked against ntb_max but has no lower bound. When block_len is smaller than opts->ndp_size, the bounds check of: ndp_index > (block_len - opts->ndp_size) will underflow producing a huge unsigned value that ndp_index can never exceed, defeating the check entirely.
The same underflow occurs in the datagram index checks against block_len
- opts->dpe_size. With those checks neutered, a malicious USB host can choose ndp_index and datagram offsets that point past the actual transfer, and the skb_put_data() copies adjacent kernel memory into the network skb.
Fix this by rejecting block lengths that cannot hold at least the NTB header plus one NDP. This will make block_len - opts->ndp_size and block_len - opts->dpe_size both well-defined.
Commit 8d2b1a1ec9f5 ("CDC-NCM: avoid overflow in sanity checking") fixed a related class of issues on the host side of NCM.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 2b74b0a04d3e9f9f08ff026e5663dce88ff94e52 < 068a7f2749fff6462a0a908ec415b885fe430f50 | affected |
| Linux | Linux | 2b74b0a04d3e9f9f08ff026e5663dce88ff94e52 < 1425655c2870054c3ab4712e2b6dbdd331597ada | affected |
| Linux | Linux | 2b74b0a04d3e9f9f08ff026e5663dce88ff94e52 < 8b3b7bd3c02f98634baaf36c7fc7ac915f6517ca | affected |
| Linux | Linux | 2b74b0a04d3e9f9f08ff026e5663dce88ff94e52 < 0f156bb5334e588034ca68ac2ee92b23f66e56e7 | affected |
| Linux | Linux | 2b74b0a04d3e9f9f08ff026e5663dce88ff94e52 < 8757a2593631443648218244b9788e193ae0fdc1 | affected |
| Linux | Linux | 2b74b0a04d3e9f9f08ff026e5663dce88ff94e52 < 6762f8a95772265dd0c2ffe7f400493f3115b135 | affected |
| Linux | Linux | 2b74b0a04d3e9f9f08ff026e5663dce88ff94e52 < d58ba8f6546232f8414f396c189297dbee03f1a7 | affected |
| Linux | Linux | 2b74b0a04d3e9f9f08ff026e5663dce88ff94e52 < 74908b0318d1df1188457040b8714ff4d4b68126 | affected |
| Linux | Linux | 2b74b0a04d3e9f9f08ff026e5663dce88ff94e52 < 8f993d30b95dc9557a8a96ceca11abed674c8acb | affected |
| Linux | Linux | f7e0611e207d8908c4f2858e244370529a76dbf7 | affected |
| Linux | Linux | b88ad6e714284b33a47834f5f2a294c2b37c66aa | affected |
| Linux | Linux | 471b23586387a32857778c511be60ab31c98dcfd | affected |
| Linux | Linux | 4f529c4d1e436230d3af7c09a3239677a14d2b46 | affected |
| Linux | Linux | ae6a5394d9fbe118bc95cfe376d6a9d91d7547e8 | affected |
| Linux | Linux | 4.9.235 < 4.10 | affected |
| Linux | Linux | 4.14.196 < 4.15 | affected |
| Linux | Linux | 4.19.143 < 4.20 | affected |
| Linux | Linux | 5.4.62 < 5.5 | affected |
| Linux | Linux | 5.8.6 < 5.9 | affected |
| Linux | Linux | 5.9 | affected |
| Linux | Linux | 0 < 5.9 | unaffected |
| Linux | Linux | 5.10.258 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.209 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.175 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.136 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.83 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.24 <= 6.18.* | unaffected |
| Linux | Linux | 6.19.14 <= 6.19.* | unaffected |
| Linux | Linux | 7.0.1 <= 7.0.* | unaffected |
| Linux | Linux | 7.1 <= * | unaffected |
Weaknesses
ADP Enrichment
kernel: usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()
Additional References
- https://access.redhat.com/security/cve/CVE-2026-31617
- https://bugzilla.redhat.com/show_bug.cgi?id=2461448
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-31617.json
References
- https://git.kernel.org/stable/c/068a7f2749fff6462a0a908ec415b885fe430f50
- https://git.kernel.org/stable/c/1425655c2870054c3ab4712e2b6dbdd331597ada
- https://git.kernel.org/stable/c/8b3b7bd3c02f98634baaf36c7fc7ac915f6517ca
- https://git.kernel.org/stable/c/0f156bb5334e588034ca68ac2ee92b23f66e56e7
- https://git.kernel.org/stable/c/8757a2593631443648218244b9788e193ae0fdc1
- https://git.kernel.org/stable/c/6762f8a95772265dd0c2ffe7f400493f3115b135
- https://git.kernel.org/stable/c/d58ba8f6546232f8414f396c189297dbee03f1a7
- https://git.kernel.org/stable/c/74908b0318d1df1188457040b8714ff4d4b68126
- https://git.kernel.org/stable/c/8f993d30b95dc9557a8a96ceca11abed674c8acb
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.