{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-31617","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-03-09T15:48:24.123Z","datePublished":"2026-04-24T14:42:36.191Z","dateUpdated":"2026-05-11T22:12:16.395Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:12:16.395Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()\n\nThe block_len read from the host-supplied NTB header is checked against\nntb_max but has no lower bound. When block_len is smaller than\nopts->ndp_size, the bounds check of:\n\tndp_index > (block_len - opts->ndp_size)\nwill underflow producing a huge unsigned value that ndp_index can never\nexceed, defeating the check entirely.\n\nThe same underflow occurs in the datagram index checks against block_len\n- opts->dpe_size.  With those checks neutered, a malicious USB host can\nchoose ndp_index and datagram offsets that point past the actual\ntransfer, and the skb_put_data() copies adjacent kernel memory into the\nnetwork skb.\n\nFix this by rejecting block lengths that cannot hold at least the NTB\nheader plus one NDP.  This will make block_len - opts->ndp_size and\nblock_len - opts->dpe_size both well-defined.\n\nCommit 8d2b1a1ec9f5 (\"CDC-NCM: avoid overflow in sanity checking\") fixed\na related class of issues on the host side of NCM."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/usb/gadget/function/f_ncm.c"],"versions":[{"version":"2b74b0a04d3e9f9f08ff026e5663dce88ff94e52","lessThan":"0f156bb5334e588034ca68ac2ee92b23f66e56e7","status":"affected","versionType":"git"},{"version":"2b74b0a04d3e9f9f08ff026e5663dce88ff94e52","lessThan":"8757a2593631443648218244b9788e193ae0fdc1","status":"affected","versionType":"git"},{"version":"2b74b0a04d3e9f9f08ff026e5663dce88ff94e52","lessThan":"6762f8a95772265dd0c2ffe7f400493f3115b135","status":"affected","versionType":"git"},{"version":"2b74b0a04d3e9f9f08ff026e5663dce88ff94e52","lessThan":"d58ba8f6546232f8414f396c189297dbee03f1a7","status":"affected","versionType":"git"},{"version":"2b74b0a04d3e9f9f08ff026e5663dce88ff94e52","lessThan":"74908b0318d1df1188457040b8714ff4d4b68126","status":"affected","versionType":"git"},{"version":"2b74b0a04d3e9f9f08ff026e5663dce88ff94e52","lessThan":"8f993d30b95dc9557a8a96ceca11abed674c8acb","status":"affected","versionType":"git"},{"version":"f7e0611e207d8908c4f2858e244370529a76dbf7","status":"affected","versionType":"git"},{"version":"b88ad6e714284b33a47834f5f2a294c2b37c66aa","status":"affected","versionType":"git"},{"version":"471b23586387a32857778c511be60ab31c98dcfd","status":"affected","versionType":"git"},{"version":"4f529c4d1e436230d3af7c09a3239677a14d2b46","status":"affected","versionType":"git"},{"version":"ae6a5394d9fbe118bc95cfe376d6a9d91d7547e8","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/usb/gadget/function/f_ncm.c"],"versions":[{"version":"5.9","status":"affected"},{"version":"0","lessThan":"5.9","status":"unaffected","versionType":"semver"},{"version":"6.6.136","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.83","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.24","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.14","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0.1","lessThanOrEqual":"7.0.*","status":"unaffected","versionType":"semver"},{"version":"7.1-rc1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"6.6.136"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"6.12.83"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"6.18.24"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"6.19.14"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"7.0.1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"7.1-rc1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.9.235"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.14.196"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.143"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4.62"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.8.6"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0f156bb5334e588034ca68ac2ee92b23f66e56e7"},{"url":"https://git.kernel.org/stable/c/8757a2593631443648218244b9788e193ae0fdc1"},{"url":"https://git.kernel.org/stable/c/6762f8a95772265dd0c2ffe7f400493f3115b135"},{"url":"https://git.kernel.org/stable/c/d58ba8f6546232f8414f396c189297dbee03f1a7"},{"url":"https://git.kernel.org/stable/c/74908b0318d1df1188457040b8714ff4d4b68126"},{"url":"https://git.kernel.org/stable/c/8f993d30b95dc9557a8a96ceca11abed674c8acb"}],"title":"usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()","x_generator":{"engine":"bippy-1.2.0"}}}}