CVE-2026-31623

Summary

In the Linux kernel, the following vulnerability has been resolved:

net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()

A malicious USB device claiming to be a CDC Phonet modem can overflow the skb_shared_info->frags[] array by sending an unbounded sequence of full-page bulk transfers.

Drop the skb and increment the length error when the frag limit is reached. This matches the same fix that commit f0813bcd2d9d ("net: wwan: t7xx: fix potential skb->frags overflow in RX path") did for the t7xx driver.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux87cf65601e1709e57f7e28f0f7b3eb0a992c1782 < 6807ff49bf796b3823b1e29f97b69316a40a9a94affected
LinuxLinux87cf65601e1709e57f7e28f0f7b3eb0a992c1782 < 0c5c65a17db729fc63ab656bdaaf0e675a9dbeacaffected
LinuxLinux87cf65601e1709e57f7e28f0f7b3eb0a992c1782 < 6053620fdbcd89fa7e755644efdaab78e0daaae7affected
LinuxLinux87cf65601e1709e57f7e28f0f7b3eb0a992c1782 < d4e1946bea8d6441835eb3fd09b19237ba366a6faffected
LinuxLinux87cf65601e1709e57f7e28f0f7b3eb0a992c1782 < a23b1b1aaf41e174181d5853a70e65d4d01e648caffected
LinuxLinux87cf65601e1709e57f7e28f0f7b3eb0a992c1782 < c183d5775129a0a7495bd61a6e57ec230dcf01e5affected
LinuxLinux87cf65601e1709e57f7e28f0f7b3eb0a992c1782 < ebf75c6301c4972a87542ebf2d994c6391eb5d46affected
LinuxLinux87cf65601e1709e57f7e28f0f7b3eb0a992c1782 < 9989938d13cc5ba8447eeed5a61acfcf61bc6801affected
LinuxLinux87cf65601e1709e57f7e28f0f7b3eb0a992c1782 < 600dc40554dc5ad1e6f3af51f700228033f43ea7affected
LinuxLinux2.6.31affected
LinuxLinux0 < 2.6.31unaffected
LinuxLinux5.10.258 <= 5.10.*unaffected
LinuxLinux5.15.209 <= 5.15.*unaffected
LinuxLinux6.1.175 <= 6.1.*unaffected
LinuxLinux6.6.136 <= 6.6.*unaffected
LinuxLinux6.12.83 <= 6.12.*unaffected
LinuxLinux6.18.24 <= 6.18.*unaffected
LinuxLinux6.19.14 <= 6.19.*unaffected
LinuxLinux7.0.1 <= 7.0.*unaffected
LinuxLinux7.1 <= *unaffected

Weaknesses

References