CVE-2026-31607

When a USB/IP client receives a RETSUBMIT response, usbippackretsubmit() unconditionally overwrites urb->numberofpackets from the network PDU. This value is subsequently used as the loop bound in usbiprecviso() and usbippadiso() to iterate over urb->isoframedesc[], a flexible array whose size was fixed at URB allocation time based on the original numberofpackets from the CMD_SUBMIT.

A malicious USB/IP server can set numberofpackets in the response to a value larger than what was originally submitted, causing a heap out-of-bounds write when usbiprecviso() writes to urb->isoframedesc[i] beyond the allocated region.

KASAN confirmed this with kernel 7.0.0-rc5:

BUG: KASAN: slab-out-of-bounds in usbiprecviso+0x46a/0x640 Write of size 4 at addr ffff888106351d40 by task vhci_rx/69

The buggy address is located 0 bytes to the right of allocated 320-byte region [ffff888106351c00, ffff888106351d40)

The server side (stubrx.c) and gadget side (vudcrx.c) already validate numberofpackets in the CMDSUBMIT path since commits c6688ef9f297 ("usbip: fix stubrx: harden CMDSUBMIT path to handle malicious input") and b78d830f0049 ("usbip: fix vudcrx: harden CMDSUBMIT path to handle malicious input"). The server side validates against USBIPMAXISOPACKETS because no URB exists yet at that point. On the client side we have the original URB, so we can use the tighter bound: the response must not exceed the original numberofpackets.

This mirrors the existing validation of actuallength against transferbufferlength in usbiprecv_xbuff(), which checks the response value against the original allocation size.

Kelvin Mbogo's series ("usb: usbip: fix integer overflow in usbiprecviso()", v2) hardens the receive-side functions themselves; this patch complements that work by catching the bad value at its source -- in usbippackretsubmit() before the overwrite -- and using the tighter per-URB allocation bound rather than the global USBIPMAXISOPACKETS limit.

Fix this by checking rpdu->numberofpackets against urb->numberofpackets in usbippackretsubmit() before the overwrite. On violation, clamp to zero so that usbiprecviso() and usbippad_iso() safely return early.

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31607.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

1325f85fa49f57df034869de430f7c302ae23109

Fixed

885c8591784da6314f9aa82fa460ac69f9f79e5f

Fixed

8d155e2d1c4102f74f82a2bf9c016164bb0f7384

Fixed

906f16a836de13fe61f49cdce2f66f2dbd14caf4

Fixed

ef8ebb1c637b4cfb61a9dd2e013376774ee2033b

Fixed

5e1c4ece08ccdc197177631f111845a2c68eede3

Fixed

2ab833a16a825373aad2ba7d54b572b277e95b71

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

d9638d9236eed035a575feddec61d036dacc2676

Last affected

ca7d3501b7a287c18b5b470e871d3029b0f4842a

Last affected

1ce528277e1a66856ed3f7526c1e3458c0ed4a70

Last affected

db898d0c5c493ce4177d5e1d3a953e079a56a24b

Last affected

5aa02704b9ee67c5b2ee26d54c5f4eb99e93ba9a

Affected versions

v2.*

v2.6.12-rc2

v2.6.12-rc3

v2.6.12-rc4

v2.6.13

v2.6.13-rc1

v2.6.13-rc2

v2.6.13-rc3

v2.6.13-rc4

v2.6.13-rc5

v2.6.13-rc6

v2.6.13-rc7

v2.6.14-rc1

v2.6.14-rc2

v2.6.14-rc3

v2.6.15-rc1

v2.6.15-rc2

v2.6.15-rc4

v2.6.15-rc5

v2.6.15-rc7

v2.6.16

v2.6.16-rc1

v2.6.16-rc2

v2.6.16-rc3

v2.6.16-rc4

v2.6.16-rc5

v2.6.16-rc6

v2.6.17

v2.6.17-rc1

v2.6.17-rc2

v2.6.17-rc3

v2.6.17-rc4

v2.6.17-rc5

v2.6.17-rc6

v2.6.18

v2.6.18-rc1

v2.6.18-rc2

v2.6.18-rc3

v2.6.18-rc5

v2.6.18-rc6

v2.6.19-rc1

v2.6.19-rc2

v2.6.20-rc1

v2.6.20-rc2

v2.6.20-rc3

v2.6.20-rc4

v2.6.20-rc5

v2.6.20-rc6

v2.6.20-rc7

v2.6.21

v2.6.21-rc1

v2.6.21-rc2

v2.6.21-rc3

v2.6.21-rc4

v2.6.21-rc5

v2.6.21-rc6

v2.6.21-rc7

v2.6.22

v2.6.22-rc1

v2.6.22-rc2

v2.6.22-rc3

v2.6.22-rc4

v2.6.22-rc5

v2.6.22-rc6

v2.6.22-rc7

v2.6.23

v2.6.23-rc1

v2.6.23-rc2

v2.6.23-rc3

v2.6.23-rc4

v2.6.23-rc5

v2.6.23-rc6

v2.6.23-rc7

v2.6.23-rc8

v2.6.23-rc9

v2.6.24

v2.6.24-rc1

v2.6.24-rc2

v2.6.24-rc3

v2.6.24-rc4

v2.6.24-rc5

v2.6.24-rc6

v2.6.24-rc7

v2.6.24-rc8

v2.6.25

v2.6.25-rc1

v2.6.25-rc2

v2.6.25-rc3

v2.6.25-rc4

v2.6.25-rc5

v2.6.25-rc6

v2.6.25-rc7

v2.6.25-rc8

v2.6.25-rc9

v2.6.26

v2.6.26-rc1

v2.6.26-rc2

v2.6.26-rc3

v2.6.26-rc4

v2.6.26-rc5

v2.6.26-rc6

v2.6.26-rc7

v2.6.26-rc8

v2.6.26-rc9

v2.6.27

v2.6.27-rc1

v2.6.27-rc2

v2.6.27-rc3

v2.6.27-rc4

v2.6.27-rc5

v2.6.27-rc6

v2.6.27-rc7

v2.6.27-rc8

v2.6.27-rc9

v2.6.28

v2.6.28-rc1

v2.6.28-rc2

v2.6.28-rc3

v2.6.28-rc4

v2.6.28-rc5

v2.6.28-rc6

v2.6.28-rc7

v2.6.28-rc8

v2.6.28-rc9

v2.6.29

v2.6.29-rc1

v2.6.29-rc2

v2.6.29-rc3

v2.6.29-rc4

v2.6.29-rc5

v2.6.29-rc6

v2.6.29-rc7

v2.6.29-rc8

v2.6.30

v2.6.30-rc1

v2.6.30-rc2

v2.6.30-rc3

v2.6.30-rc4

v2.6.30-rc5

v2.6.30-rc6

v2.6.30-rc7

v2.6.30-rc8

v2.6.31

v2.6.31-rc1

v2.6.31-rc2

v2.6.31-rc3

v2.6.31-rc4

v2.6.31-rc5

v2.6.31-rc6

v2.6.31-rc7

v2.6.31-rc8

v2.6.31-rc9

v2.6.32

v2.6.32-rc1

v2.6.32-rc2

v2.6.32-rc3

v2.6.32-rc4

v2.6.32-rc5

v2.6.32-rc6

v2.6.32-rc7

v2.6.32-rc8

v2.6.32.1

v2.6.32.10

v2.6.32.11

v2.6.32.12

v2.6.32.13

v2.6.32.14

v2.6.32.15

v2.6.32.16

v2.6.32.17

v2.6.32.18

v2.6.32.19

v2.6.32.2

v2.6.32.20

v2.6.32.21

v2.6.32.22

v2.6.32.23

v2.6.32.24

v2.6.32.25

v2.6.32.26

v2.6.32.27

v2.6.32.28

v2.6.32.29

v2.6.32.3

v2.6.32.30

v2.6.32.31

v2.6.32.32

v2.6.32.33

v2.6.32.34

v2.6.32.35

v2.6.32.36

v2.6.32.4

v2.6.32.5

v2.6.32.6

v2.6.32.7

v2.6.32.8

v2.6.32.9

v2.6.33

v2.6.33-rc1

v2.6.33-rc2

v2.6.33-rc3

v2.6.33-rc4

v2.6.33-rc5

v2.6.33-rc6

v2.6.33-rc7

v2.6.33-rc8

v2.6.33.1

v2.6.33.2

v2.6.33.3

v2.6.33.4

v2.6.33.5

v2.6.33.6

v2.6.33.7

v2.6.33.8

v2.6.33.9

v2.6.34

v2.6.34-rc1

v2.6.34-rc2

v2.6.34-rc3

v2.6.34-rc4

v2.6.34-rc5

v2.6.34-rc6

v2.6.34-rc7

v2.6.34.1

v2.6.34.10

v2.6.34.2

v2.6.34.3

v2.6.34.4

v2.6.34.5

v2.6.34.6

v2.6.34.7

v2.6.34.8

v2.6.34.9

v2.6.35

v2.6.35-rc1

v2.6.35-rc2

v2.6.35-rc3

v2.6.35-rc4

v2.6.35-rc5

v2.6.35-rc6

v2.6.35.1

v2.6.35.10

v2.6.35.11

v2.6.35.12

v2.6.35.2

v2.6.35.3

v2.6.35.4

v2.6.35.5

v2.6.35.6

v2.6.35.7

v2.6.35.8

v2.6.35.9

v2.6.36

v2.6.36-rc1

v2.6.36-rc2

v2.6.36-rc3

v2.6.36-rc4

v2.6.36-rc5

v2.6.36-rc6

v2.6.36-rc7

v2.6.36-rc8

v2.6.37

v2.6.37-rc1

v2.6.37-rc2

v2.6.37-rc3

v2.6.37-rc4

v2.6.37-rc5

v2.6.37-rc6

v2.6.37-rc7

v2.6.37-rc8

v2.6.38

v2.6.38-rc1

v2.6.38-rc2

v2.6.38-rc3

v2.6.38-rc4

v2.6.38-rc5

v2.6.38-rc6

v2.6.38-rc7

v2.6.38-rc8

v2.6.38.1

v2.6.38.2

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31607.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.6.39

Fixed

6.6.136

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.83

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.18.24

Type: ECOSYSTEM
Events: Introduced

6.19.0

Fixed

6.19.14

Type: ECOSYSTEM
Events: Introduced

6.20.0

Fixed

7.0.1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31607.json"