5.5

CVE-2026-31616

EPSS 0.01%
Veröffentlicht 24.04.2026 14:42:35
Zuletzt bearbeitet 28.04.2026 17:21:15
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()

A broken/bored/mean USB host can overflow the skb_shared_info->frags[]
array on a Linux gadget exposing a Phonet function by sending an
unbounded sequence of full-page OUT transfers.

pn_rx_complete() finalizes the skb only when req->actual < req->length,
where req->length is set to PAGE_SIZE by the gadget.  If the host always
sends exactly PAGE_SIZE bytes per transfer, fp->rx.skb will never be
reset and each completion will add another fragment via
skb_add_rx_frag().  Once nr_frags exceeds MAX_SKB_FRAGS (default 17),
subsequent frag stores overwrite memory adjacent to the shinfo on the
heap.

Drop the skb and account a length error when the frag limit is reached,
matching the fix applied in t7xx by commit f0813bcd2d9d ("net: wwan:
t7xx: fix potential skb->frags overflow in RX path").

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 9

NVD 5 VulnDex Vulnerability Enrichment 14

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linux ≫ Linux Kernel Version >= 2.6.32 < 6.6.136

Linux ≫ Linux Kernel Version >= 6.7 < 6.12.83

Linux ≫ Linux Kernel Version >= 6.13 < 6.18.24

Linux ≫ Linux Kernel Version >= 6.19 < 6.19.14

Linux ≫ Linux Kernel Version >= 7.0 < 7.0.1

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.023

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-401 Missing Release of Memory after Effective Lifetime

The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.

https://git.kernel.org/stable/c/c9315ce9da3632c591666a29de82d3e92d46bec1

Patch

https://git.kernel.org/stable/c/4e476c25bfcab0535ba7c76a903ae77ca8747711

Patch

https://git.kernel.org/stable/c/bd44ce09b9b569f49ed13e2d87d23d853fc7d6a7

Patch

https://git.kernel.org/stable/c/66f7471c4042e4eb300e30b5b9d87d1406862673

Patch

https://git.kernel.org/stable/c/c088d5dd2fffb4de1fb8e7f57751c8b82942180a

Patch

https://git.kernel.org/stable/c/9ceff1251904901b0b4e5fe6350fcaffa368ce83

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-31616

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-31616

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-31616

EUVD