CVE-2026-31616
- Source
- https://cve.org/CVERecord?id=CVE-2026-31616
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31616.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-31616
- Downstream
- Related
- Published
- 2026-04-24T14:42:35.480Z
- Modified
- 2026-06-03T03:54:29.109686039Z
- Summary
- usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: fphonet: fix skb frags[] overflow in pnrx_complete()
A broken/bored/mean USB host can overflow the skbsharedinfo->frags[] array on a Linux gadget exposing a Phonet function by sending an unbounded sequence of full-page OUT transfers.
pnrxcomplete() finalizes the skb only when req->actual < req->length, where req->length is set to PAGESIZE by the gadget. If the host always sends exactly PAGESIZE bytes per transfer, fp->rx.skb will never be reset and each completion will add another fragment via skbaddrxfrag(). Once nrfrags exceeds MAXSKBFRAGS (default 17), subsequent frag stores overwrite memory adjacent to the shinfo on the heap.
Drop the skb and account a length error when the frag limit is reached, matching the fix applied in t7xx by commit f0813bcd2d9d ("net: wwan: t7xx: fix potential skb->frags overflow in RX path").
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31616.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/stable/c/3d7f7e0c842242878c24b2facff8d6eda23ee1e9
- https://git.kernel.org/stable/c/4e476c25bfcab0535ba7c76a903ae77ca8747711
- https://git.kernel.org/stable/c/66f7471c4042e4eb300e30b5b9d87d1406862673
- https://git.kernel.org/stable/c/7424f0287da73d3d8c5fa5e9d25d26fce762708e
- https://git.kernel.org/stable/c/9ceff1251904901b0b4e5fe6350fcaffa368ce83
- https://git.kernel.org/stable/c/b5ec49fa198bd08967a3102bd41f53ccadce72c9
- https://git.kernel.org/stable/c/bd44ce09b9b569f49ed13e2d87d23d853fc7d6a7
- https://git.kernel.org/stable/c/c088d5dd2fffb4de1fb8e7f57751c8b82942180a
- https://git.kernel.org/stable/c/c9315ce9da3632c591666a29de82d3e92d46bec1
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31616.json
- https://nvd.nist.gov/vuln/detail/CVE-2026-31616
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedb91cd1440870f7a0649e570498b7b93caf9f781cFixed3d7f7e0c842242878c24b2facff8d6eda23ee1e9Fixedb5ec49fa198bd08967a3102bd41f53ccadce72c9Fixed7424f0287da73d3d8c5fa5e9d25d26fce762708eFixed9ceff1251904901b0b4e5fe6350fcaffa368ce83Fixedc9315ce9da3632c591666a29de82d3e92d46bec1Fixed4e476c25bfcab0535ba7c76a903ae77ca8747711Fixedbd44ce09b9b569f49ed13e2d87d23d853fc7d6a7Fixed66f7471c4042e4eb300e30b5b9d87d1406862673Fixedc088d5dd2fffb4de1fb8e7f57751c8b82942180a
Linux / Kernel
Package
- Name
- Kernel
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced2.6.32Fixed5.10.258
- Type
- ECOSYSTEM
- Events
-
Introduced5.11.0Fixed5.15.209
- Type
- ECOSYSTEM
- Events
-
Introduced5.16.0Fixed6.1.175
- Type
- ECOSYSTEM
- Events
-
Introduced6.2.0Fixed6.6.136
- Type
- ECOSYSTEM
- Events
-
Introduced6.7.0Fixed6.12.83
- Type
- ECOSYSTEM
- Events
-
Introduced6.13.0Fixed6.18.24
- Type
- ECOSYSTEM
- Events
-
Introduced6.19.0Fixed6.19.14
- Type
- ECOSYSTEM
- Events
-
Introduced6.20.0Fixed7.0.1