{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-31607","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-03-09T15:48:24.122Z","datePublished":"2026-04-24T14:42:29.468Z","dateUpdated":"2026-06-30T12:07:49.615Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-06-14T17:42:48.408Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nusbip: validate number_of_packets in usbip_pack_ret_submit()\n\nWhen a USB/IP client receives a RET_SUBMIT response,\nusbip_pack_ret_submit() unconditionally overwrites\nurb->number_of_packets from the network PDU. This value is\nsubsequently used as the loop bound in usbip_recv_iso() and\nusbip_pad_iso() to iterate over urb->iso_frame_desc[], a flexible\narray whose size was fixed at URB allocation time based on the\n*original* number_of_packets from the CMD_SUBMIT.\n\nA malicious USB/IP server can set number_of_packets in the response\nto a value larger than what was originally submitted, causing a heap\nout-of-bounds write when usbip_recv_iso() writes to\nurb->iso_frame_desc[i] beyond the allocated region.\n\nKASAN confirmed this with kernel 7.0.0-rc5:\n\n  BUG: KASAN: slab-out-of-bounds in usbip_recv_iso+0x46a/0x640\n  Write of size 4 at addr ffff888106351d40 by task vhci_rx/69\n\n  The buggy address is located 0 bytes to the right of\n   allocated 320-byte region [ffff888106351c00, ffff888106351d40)\n\nThe server side (stub_rx.c) and gadget side (vudc_rx.c) already\nvalidate number_of_packets in the CMD_SUBMIT path since commits\nc6688ef9f297 (\"usbip: fix stub_rx: harden CMD_SUBMIT path to handle\nmalicious input\") and b78d830f0049 (\"usbip: fix vudc_rx: harden\nCMD_SUBMIT path to handle malicious input\"). The server side validates\nagainst USBIP_MAX_ISO_PACKETS because no URB exists yet at that point.\nOn the client side we have the original URB, so we can use the tighter\nbound: the response must not exceed the original number_of_packets.\n\nThis mirrors the existing validation of actual_length against\ntransfer_buffer_length in usbip_recv_xbuff(), which checks the\nresponse value against the original allocation size.\n\nKelvin Mbogo's series (\"usb: usbip: fix integer overflow in\nusbip_recv_iso()\", v2) hardens the receive-side functions themselves;\nthis patch complements that work by catching the bad value at its\nsource -- in usbip_pack_ret_submit() before the overwrite -- and\nusing the tighter per-URB allocation bound rather than the global\nUSBIP_MAX_ISO_PACKETS limit.\n\nFix this by checking rpdu->number_of_packets against\nurb->number_of_packets in usbip_pack_ret_submit() before the\noverwrite. On violation, clamp to zero so that usbip_recv_iso() and\nusbip_pad_iso() safely return early."}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/usb/usbip/usbip_common.c"],"versions":[{"version":"1325f85fa49f57df034869de430f7c302ae23109","lessThan":"324262c38438255bf6bdbf6342ca47c0badaab76","status":"affected","versionType":"git"},{"version":"1325f85fa49f57df034869de430f7c302ae23109","lessThan":"973f2c250289f5bf6cc146b98aa6fdde11fe50d6","status":"affected","versionType":"git"},{"version":"1325f85fa49f57df034869de430f7c302ae23109","lessThan":"ce744264b06b97069b3722511ab355738311fee0","status":"affected","versionType":"git"},{"version":"1325f85fa49f57df034869de430f7c302ae23109","lessThan":"885c8591784da6314f9aa82fa460ac69f9f79e5f","status":"affected","versionType":"git"},{"version":"1325f85fa49f57df034869de430f7c302ae23109","lessThan":"8d155e2d1c4102f74f82a2bf9c016164bb0f7384","status":"affected","versionType":"git"},{"version":"1325f85fa49f57df034869de430f7c302ae23109","lessThan":"906f16a836de13fe61f49cdce2f66f2dbd14caf4","status":"affected","versionType":"git"},{"version":"1325f85fa49f57df034869de430f7c302ae23109","lessThan":"ef8ebb1c637b4cfb61a9dd2e013376774ee2033b","status":"affected","versionType":"git"},{"version":"1325f85fa49f57df034869de430f7c302ae23109","lessThan":"5e1c4ece08ccdc197177631f111845a2c68eede3","status":"affected","versionType":"git"},{"version":"1325f85fa49f57df034869de430f7c302ae23109","lessThan":"2ab833a16a825373aad2ba7d54b572b277e95b71","status":"affected","versionType":"git"},{"version":"d9638d9236eed035a575feddec61d036dacc2676","status":"affected","versionType":"git"},{"version":"ca7d3501b7a287c18b5b470e871d3029b0f4842a","status":"affected","versionType":"git"},{"version":"1ce528277e1a66856ed3f7526c1e3458c0ed4a70","status":"affected","versionType":"git"},{"version":"db898d0c5c493ce4177d5e1d3a953e079a56a24b","status":"affected","versionType":"git"},{"version":"5aa02704b9ee67c5b2ee26d54c5f4eb99e93ba9a","status":"affected","versionType":"git"},{"version":"2.6.32.37","lessThan":"2.6.33","status":"affected","versionType":"semver"},{"version":"2.6.33.10","lessThan":"2.6.34","status":"affected","versionType":"semver"},{"version":"2.6.34.11","lessThan":"2.6.35","status":"affected","versionType":"semver"},{"version":"2.6.35.13","lessThan":"2.6.36","status":"affected","versionType":"semver"},{"version":"2.6.38.3","lessThan":"2.6.39","status":"affected","versionType":"semver"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/usb/usbip/usbip_common.c"],"versions":[{"version":"2.6.39","status":"affected"},{"version":"0","lessThan":"2.6.39","status":"unaffected","versionType":"semver"},{"version":"5.10.258","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.209","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.175","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.136","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.83","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.24","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.14","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0.1","lessThanOrEqual":"7.0.*","status":"unaffected","versionType":"semver"},{"version":"7.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.39","versionEndExcluding":"5.10.258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.39","versionEndExcluding":"5.15.209"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.39","versionEndExcluding":"6.1.175"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.39","versionEndExcluding":"6.6.136"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.39","versionEndExcluding":"6.12.83"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.39","versionEndExcluding":"6.18.24"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.39","versionEndExcluding":"6.19.14"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.39","versionEndExcluding":"7.0.1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.39","versionEndExcluding":"7.1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.32.37"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.33.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.34.11"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.35.13"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.38.3"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/324262c38438255bf6bdbf6342ca47c0badaab76"},{"url":"https://git.kernel.org/stable/c/973f2c250289f5bf6cc146b98aa6fdde11fe50d6"},{"url":"https://git.kernel.org/stable/c/ce744264b06b97069b3722511ab355738311fee0"},{"url":"https://git.kernel.org/stable/c/885c8591784da6314f9aa82fa460ac69f9f79e5f"},{"url":"https://git.kernel.org/stable/c/8d155e2d1c4102f74f82a2bf9c016164bb0f7384"},{"url":"https://git.kernel.org/stable/c/906f16a836de13fe61f49cdce2f66f2dbd14caf4"},{"url":"https://git.kernel.org/stable/c/ef8ebb1c637b4cfb61a9dd2e013376774ee2033b"},{"url":"https://git.kernel.org/stable/c/5e1c4ece08ccdc197177631f111845a2c68eede3"},{"url":"https://git.kernel.org/stable/c/2ab833a16a825373aad2ba7d54b572b277e95b71"}],"title":"usbip: validate number_of_packets in usbip_pack_ret_submit()","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"affected":[{"cpes":["cpe:/o:redhat:rhel_els:7"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux Server (v. 7 ELS)","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:rhel_els:7"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux Server Optional (v. 7 ELS)","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux_eus:10.0"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream EUS (v. 10.0)","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:10.2"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream (v. 10)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhel_eus:9.6::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream EUS (v.9.6)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:enterprise_linux:9::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream (v. 9)","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux_eus:10.0"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux BaseOS EUS (v. 10.0)","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:10.2"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux BaseOS (v. 10)","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:rhel_eus:9.6::baseos"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux BaseOS EUS (v.9.6)","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:9::baseos"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux BaseOS (v. 9)","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux_eus:10.0"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:10.2"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhel_eus:9.6::crb"],"defaultStatus":"affected","product":"Red Hat CodeReady Linux Builder EUS (v.9.6)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:enterprise_linux:9::crb"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux_eus:10.0"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:10.2"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux Real Time for NFV (v. 10)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhel_eus:9.6::nfv"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:enterprise_linux:9::nfv"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux Real Time for NFV (v. 9)","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux_eus:10.0"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux Real Time EUS (v. 10.0)","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:10.2"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux Real Time (v. 10)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhel_eus:9.6::realtime"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux Real Time EUS (v.9.6)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:enterprise_linux:9::realtime"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux Real Time (v. 9)","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:7"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 7","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:9"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 9","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:6"],"defaultStatus":"unaffected","product":"Red Hat Enterprise Linux 6","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:8"],"defaultStatus":"unaffected","product":"Red Hat Enterprise Linux 8","vendor":"Red Hat"}],"datePublic":"2026-04-24T00:00:00.000Z","descriptions":[{"lang":"en","value":"A flaw was found in the Linux kernel's USB/IP subsystem. A malicious USB/IP server could exploit a vulnerability in the `usbip_pack_ret_submit()` function by sending a specially crafted `RET_SUBMIT` response. This response, containing an oversized `number_of_packets` value, could cause a heap out-of-bounds write. This issue may lead to a denial of service or potentially arbitrary code execution on the client system."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7.3,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-805","description":"Buffer Access with Incorrect Length Value","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-31607"},{"name":"RHBZ#2461521","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2461521"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-31607.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:25095"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:24343"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:19569"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:23224"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:19568"}],"solutions":[{"lang":"en","value":"RHSA-2026:25095: Red Hat Enterprise Linux Server (v. 7 ELS), Red Hat Enterprise Linux Server Optional (v. 7 ELS)"},{"lang":"en","value":"RHSA-2026:24343: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux BaseOS EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0), Red Hat Enterprise Linux Real Time EUS (v. 10.0), Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)"},{"lang":"en","value":"RHSA-2026:19569: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux Real Time (v. 10), Red Hat Enterprise Linux Real Time for NFV (v. 10)"},{"lang":"en","value":"RHSA-2026:23224: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6), Red Hat Enterprise Linux Real Time EUS (v.9.6), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)"},{"lang":"en","value":"RHSA-2026:19568: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux Real Time (v. 9), Red Hat Enterprise Linux Real Time for NFV (v. 9)"}],"timeline":[{"lang":"en","time":"2026-04-24T00:00:00.000Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-04-24T00:00:00.000Z","value":"Made public."}],"title":"kernel: usbip: validate number_of_packets in usbip_pack_ret_submit()","x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-06-30T12:07:49.615Z"}}]}}