{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-31412","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-03-09T15:48:24.087Z","datePublished":"2026-04-10T10:35:05.796Z","dateUpdated":"2026-05-11T22:08:12.685Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:08:12.685Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks()\n\nThe `check_command_size_in_blocks()` function calculates the data size\nin bytes by left shifting `common->data_size_from_cmnd` by the block\nsize (`common->curlun->blkbits`). However, it does not validate whether\nthis shift operation will cause an integer overflow.\n\nInitially, the block size is set up in `fsg_lun_open()` , and the\n`common->data_size_from_cmnd` is set up in `do_scsi_command()`. During\ninitialization, there is no integer overflow check for the interaction\nbetween two variables.\n\nSo if a malicious USB host sends a SCSI READ or WRITE command\nrequesting a large amount of data (`common->data_size_from_cmnd`), the\nleft shift operation can wrap around. This results in a truncated data\nsize, which can bypass boundary checks and potentially lead to memory\ncorruption or out-of-bounds accesses.\n\nFix this by using the check_shl_overflow() macro to safely perform the\nshift and catch any overflows."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/usb/gadget/function/f_mass_storage.c"],"versions":[{"version":"144974e7f9e32b53b02f6c8632be45d8f43d6ab5","lessThan":"91817ad5452defe69bc7bc0e355f0ed5d01125cc","status":"affected","versionType":"git"},{"version":"144974e7f9e32b53b02f6c8632be45d8f43d6ab5","lessThan":"ce0caaed5940162780c5c223b8ae54968a5f059b","status":"affected","versionType":"git"},{"version":"144974e7f9e32b53b02f6c8632be45d8f43d6ab5","lessThan":"228b37936376143f4b60cc6828663f6eaceb81b5","status":"affected","versionType":"git"},{"version":"144974e7f9e32b53b02f6c8632be45d8f43d6ab5","lessThan":"3428dc5520c811e66622b2f5fa43341bf9a1f8b3","status":"affected","versionType":"git"},{"version":"144974e7f9e32b53b02f6c8632be45d8f43d6ab5","lessThan":"387ebb0453b99d71491419a5dc4ab4bee0cacbac","status":"affected","versionType":"git"},{"version":"144974e7f9e32b53b02f6c8632be45d8f43d6ab5","lessThan":"8479891d1f04a8ce55366fe4ca361ccdb96f02e1","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/usb/gadget/function/f_mass_storage.c"],"versions":[{"version":"3.3","status":"affected"},{"version":"0","lessThan":"3.3","status":"unaffected","versionType":"semver"},{"version":"6.1.167","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.130","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.78","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.19","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.9","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.3","versionEndExcluding":"6.1.167"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.3","versionEndExcluding":"6.6.130"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.3","versionEndExcluding":"6.12.78"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.3","versionEndExcluding":"6.18.19"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.3","versionEndExcluding":"6.19.9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.3","versionEndExcluding":"7.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/91817ad5452defe69bc7bc0e355f0ed5d01125cc"},{"url":"https://git.kernel.org/stable/c/ce0caaed5940162780c5c223b8ae54968a5f059b"},{"url":"https://git.kernel.org/stable/c/228b37936376143f4b60cc6828663f6eaceb81b5"},{"url":"https://git.kernel.org/stable/c/3428dc5520c811e66622b2f5fa43341bf9a1f8b3"},{"url":"https://git.kernel.org/stable/c/387ebb0453b99d71491419a5dc4ab4bee0cacbac"},{"url":"https://git.kernel.org/stable/c/8479891d1f04a8ce55366fe4ca361ccdb96f02e1"}],"title":"usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks()","x_generator":{"engine":"bippy-1.2.0"}}}}