{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31412", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.087Z", "datePublished": "2026-04-10T10:35:05.796Z", "dateUpdated": "2026-05-11T22:08:12.685Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:08:12.685Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks()\n\nThe `check_command_size_in_blocks()` function calculates the data size\nin bytes by left shifting `common->data_size_from_cmnd` by the block\nsize (`common->curlun->blkbits`). However, it does not validate whether\nthis shift operation will cause an integer overflow.\n\nInitially, the block size is set up in `fsg_lun_open()` , and the\n`common->data_size_from_cmnd` is set up in `do_scsi_command()`. During\ninitialization, there is no integer overflow check for the interaction\nbetween two variables.\n\nSo if a malicious USB host sends a SCSI READ or WRITE command\nrequesting a large amount of data (`common->data_size_from_cmnd`), the\nleft shift operation can wrap around. This results in a truncated data\nsize, which can bypass boundary checks and potentially lead to memory\ncorruption or out-of-bounds accesses.\n\nFix this by using the check_shl_overflow() macro to safely perform the\nshift and catch any overflows."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/usb/gadget/function/f_mass_storage.c"], "versions": [{"version": "144974e7f9e32b53b02f6c8632be45d8f43d6ab5", "lessThan": "91817ad5452defe69bc7bc0e355f0ed5d01125cc", "status": "affected", "versionType": "git"}, {"version": "144974e7f9e32b53b02f6c8632be45d8f43d6ab5", "lessThan": "ce0caaed5940162780c5c223b8ae54968a5f059b", "status": "affected", "versionType": "git"}, {"version": "144974e7f9e32b53b02f6c8632be45d8f43d6ab5", "lessThan": "228b37936376143f4b60cc6828663f6eaceb81b5", "status": "affected", "versionType": "git"}, {"version": "144974e7f9e32b53b02f6c8632be45d8f43d6ab5", "lessThan": "3428dc5520c811e66622b2f5fa43341bf9a1f8b3", "status": "affected", "versionType": "git"}, {"version": "144974e7f9e32b53b02f6c8632be45d8f43d6ab5", "lessThan": "387ebb0453b99d71491419a5dc4ab4bee0cacbac", "status": "affected", "versionType": "git"}, {"version": "144974e7f9e32b53b02f6c8632be45d8f43d6ab5", "lessThan": "8479891d1f04a8ce55366fe4ca361ccdb96f02e1", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/usb/gadget/function/f_mass_storage.c"], "versions": [{"version": "3.3", "status": "affected"}, {"version": "0", "lessThan": "3.3", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.19", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.9", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.3", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.3", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.3", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.3", "versionEndExcluding": "6.18.19"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.3", "versionEndExcluding": "6.19.9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.3", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/91817ad5452defe69bc7bc0e355f0ed5d01125cc"}, {"url": "https://git.kernel.org/stable/c/ce0caaed5940162780c5c223b8ae54968a5f059b"}, {"url": "https://git.kernel.org/stable/c/228b37936376143f4b60cc6828663f6eaceb81b5"}, {"url": "https://git.kernel.org/stable/c/3428dc5520c811e66622b2f5fa43341bf9a1f8b3"}, {"url": "https://git.kernel.org/stable/c/387ebb0453b99d71491419a5dc4ab4bee0cacbac"}, {"url": "https://git.kernel.org/stable/c/8479891d1f04a8ce55366fe4ca361ccdb96f02e1"}], "title": "usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks()\n\nThe `check_command_size_in_blocks()` function calculates the data size\nin bytes by left shifting `common->data_size_from_cmnd` by the block\nsize (`common->curlun->blkbits`). However, it does not validate whether\nthis shift operation will cause an integer overflow.\n\nInitially, the block size is set up in `fsg_lun_open()` , and the\n`common->data_size_from_cmnd` is set up in `do_scsi_command()`. During\ninitialization, there is no integer overflow check for the interaction\nbetween two variables.\n\nSo if a malicious USB host sends a SCSI READ or WRITE command\nrequesting a large amount of data (`common->data_size_from_cmnd`), the\nleft shift operation can wrap around. This results in a truncated data\nsize, which can bypass boundary checks and potentially lead to memory\ncorruption or out-of-bounds accesses.\n\nFix this by using the check_shl_overflow() macro to safely perform the\nshift and catch any overflows."}], "id": "CVE-2026-31412", "lastModified": "2026-04-13T15:02:06.187", "metrics": {}, "published": "2026-04-10T11:16:22.967", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/228b37936376143f4b60cc6828663f6eaceb81b5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3428dc5520c811e66622b2f5fa43341bf9a1f8b3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/387ebb0453b99d71491419a5dc4ab4bee0cacbac"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8479891d1f04a8ce55366fe4ca361ccdb96f02e1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/91817ad5452defe69bc7bc0e355f0ed5d01125cc"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ce0caaed5940162780c5c223b8ae54968a5f059b"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks()", "id": "2457276", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457276"}, "csaw": false, "cwe": "CWE-1335", "details": ["A flaw was found in the Linux kernel's USB mass storage gadget module (`usb-gadget-f_mass_storage`). A remote attacker, acting as a malicious USB host, could send a specially crafted SCSI READ or WRITE command. This action could trigger an integer overflow during data size calculation, leading to an incorrect size. This issue may bypass boundary checks, potentially resulting in memory corruption or out-of-bounds memory access."], "name": "CVE-2026-31412", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31412\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31412\nhttps://lore.kernel.org/linux-cve-announce/2026041044-CVE-2026-31412-bbc3@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[144974e7f9e32b53b02f6c8632be45d8f43d6ab5,91817ad5452defe69bc7bc0e355f0ed5d01125cc)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[144974e7f9e32b53b02f6c8632be45d8f43d6ab5,ce0caaed5940162780c5c223b8ae54968a5f059b)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[144974e7f9e32b53b02f6c8632be45d8f43d6ab5,228b37936376143f4b60cc6828663f6eaceb81b5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[144974e7f9e32b53b02f6c8632be45d8f43d6ab5,3428dc5520c811e66622b2f5fa43341bf9a1f8b3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[144974e7f9e32b53b02f6c8632be45d8f43d6ab5,387ebb0453b99d71491419a5dc4ab4bee0cacbac)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[144974e7f9e32b53b02f6c8632be45d8f43d6ab5,8479891d1f04a8ce55366fe4ca361ccdb96f02e1)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.3"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,3.3)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.167,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.78,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.19,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.9,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc4,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-11T01:21:16.413250+00:00", "value": {"mitigation_remediation": ["Apply a Linux kernel update that includes the patch for check_shl_overflow() in the f_mass_storage driver (see commit logs provided in the references).", "If an immediate kernel upgrade is not feasible, disable the f_mass_storage gadget module or restrict USB access to trusted hosts to prevent malicious SCSI command injection.", "Verify that the kernel configuration has the f_mass_storage gadget enabled only on platforms that require it, and consider enabling kernel bounds checking or address space layout randomization to reduce the impact of potential memory corruption."], "summary": {"action": "Patch Immediately", "impact": "Potential memory corruption via integer overflow in the USB mass storage gadget driver"}, "threat_synthesis": {"affected_systems": "Affected are all Linux kernel builds that include the f_mass_storage gadget driver and have not applied the patch referred to in the commit logs. No specific kernel version range is listed, so any kernel with the default f_mass_storage implementation is potentially vulnerable.\n", "description_and_impact": "The flaw lies in the f_mass_storage driver, where the function check_command_size_in_blocks() shifts a size value by the block size without checking for overflow. If a host issues a SCSI READ or WRITE command that requests a large data size, the shift can wrap, producing a truncated value. This bypasses buffer boundary checks and can lead to memory corruption or out\u2011of\u2011bounds accesses inside the kernel. The weakness corresponds to an unchecked shift operator vulnerability.\n", "risk_and_exploitability": "According to the available metrics, the EPSS score is below 1\u202f% and the vulnerability is not listed in the CISA KEV catalog, indicating low current exploitation probability. However, a malicious USB host controlling SCSI commands could trigger the overflow. The attack requires physical or remote access to a USB host that can exchange SCSI commands with the device, and exploitation would likely result in kernel memory corruption, potentially escalating privileges or causing a crash."}}}}, "created": "2026-04-10T14:40:49.002237+00:00", "updated": "2026-04-13T13:06:08.959936+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}