CVE-2026-31617

Summary

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()

The block_len read from the host-supplied NTB header is checked against ntb_max but has no lower bound. When block_len is smaller than opts->ndp_size, the bounds check of: ndp_index > (block_len - opts->ndp_size) will underflow producing a huge unsigned value that ndp_index can never exceed, defeating the check entirely.

The same underflow occurs in the datagram index checks against block_len

  • opts->dpe_size. With those checks neutered, a malicious USB host can choose ndp_index and datagram offsets that point past the actual transfer, and the skb_put_data() copies adjacent kernel memory into the network skb.

Fix this by rejecting block lengths that cannot hold at least the NTB header plus one NDP. This will make block_len - opts->ndp_size and block_len - opts->dpe_size both well-defined.

Commit 8d2b1a1ec9f5 ("CDC-NCM: avoid overflow in sanity checking") fixed a related class of issues on the host side of NCM.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux2b74b0a04d3e9f9f08ff026e5663dce88ff94e52 < 068a7f2749fff6462a0a908ec415b885fe430f50affected
LinuxLinux2b74b0a04d3e9f9f08ff026e5663dce88ff94e52 < 1425655c2870054c3ab4712e2b6dbdd331597adaaffected
LinuxLinux2b74b0a04d3e9f9f08ff026e5663dce88ff94e52 < 8b3b7bd3c02f98634baaf36c7fc7ac915f6517caaffected
LinuxLinux2b74b0a04d3e9f9f08ff026e5663dce88ff94e52 < 0f156bb5334e588034ca68ac2ee92b23f66e56e7affected
LinuxLinux2b74b0a04d3e9f9f08ff026e5663dce88ff94e52 < 8757a2593631443648218244b9788e193ae0fdc1affected
LinuxLinux2b74b0a04d3e9f9f08ff026e5663dce88ff94e52 < 6762f8a95772265dd0c2ffe7f400493f3115b135affected
LinuxLinux2b74b0a04d3e9f9f08ff026e5663dce88ff94e52 < d58ba8f6546232f8414f396c189297dbee03f1a7affected
LinuxLinux2b74b0a04d3e9f9f08ff026e5663dce88ff94e52 < 74908b0318d1df1188457040b8714ff4d4b68126affected
LinuxLinux2b74b0a04d3e9f9f08ff026e5663dce88ff94e52 < 8f993d30b95dc9557a8a96ceca11abed674c8acbaffected
LinuxLinuxf7e0611e207d8908c4f2858e244370529a76dbf7affected
LinuxLinuxb88ad6e714284b33a47834f5f2a294c2b37c66aaaffected
LinuxLinux471b23586387a32857778c511be60ab31c98dcfdaffected
LinuxLinux4f529c4d1e436230d3af7c09a3239677a14d2b46affected
LinuxLinuxae6a5394d9fbe118bc95cfe376d6a9d91d7547e8affected
LinuxLinux4.9.235 < 4.10affected
LinuxLinux4.14.196 < 4.15affected
LinuxLinux4.19.143 < 4.20affected
LinuxLinux5.4.62 < 5.5affected
LinuxLinux5.8.6 < 5.9affected
LinuxLinux5.9affected
LinuxLinux0 < 5.9unaffected
LinuxLinux5.10.258 <= 5.10.*unaffected
LinuxLinux5.15.209 <= 5.15.*unaffected
LinuxLinux6.1.175 <= 6.1.*unaffected
LinuxLinux6.6.136 <= 6.6.*unaffected
LinuxLinux6.12.83 <= 6.12.*unaffected
LinuxLinux6.18.24 <= 6.18.*unaffected
LinuxLinux6.19.14 <= 6.19.*unaffected
LinuxLinux7.0.1 <= 7.0.*unaffected
LinuxLinux7.1 <= *unaffected

Weaknesses

ADP Enrichment

kernel: usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()

Additional References

References