{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31615", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.123Z", "datePublished": "2026-04-24T14:42:34.806Z", "dateUpdated": "2026-05-11T22:12:13.975Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:12:13.975Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: renesas_usb3: validate endpoint index in standard request handlers\n\nThe GET_STATUS and SET/CLEAR_FEATURE handlers extract the endpoint\nnumber from the host-supplied wIndex without any sort of validation.\nFix this up by validating the number of endpoints actually match up with\nthe number the device has before attempting to dereference a pointer\nbased on this math.\n\nThis is just like what was done in commit ee0d382feb44 (\"usb: gadget:\naspeed_udc: validate endpoint index for ast udc\") for the aspeed driver."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/usb/gadget/udc/renesas_usb3.c"], "versions": [{"version": "746bfe63bba37ad55956b7377c9af494e7e28929", "lessThan": "1b2bfedccc4fb8c9572e1ea464f905424c91de2a", "status": "affected", "versionType": "git"}, {"version": "746bfe63bba37ad55956b7377c9af494e7e28929", "lessThan": "adb8014599fdf0818d3d93f1f74e06cd0bdec08d", "status": "affected", "versionType": "git"}, {"version": "746bfe63bba37ad55956b7377c9af494e7e28929", "lessThan": "44216e3dd4455b798899b50eedb0ec3831dff8e0", "status": "affected", "versionType": "git"}, {"version": "746bfe63bba37ad55956b7377c9af494e7e28929", "lessThan": "37f430b2240655e6b0199a92aa1057e4d621be51", "status": "affected", "versionType": "git"}, {"version": "746bfe63bba37ad55956b7377c9af494e7e28929", "lessThan": "e3d42598f2995cdc07b7779874e7c5f8a1b773db", "status": "affected", "versionType": "git"}, {"version": "746bfe63bba37ad55956b7377c9af494e7e28929", "lessThan": "f880aac8a57ebd92abfa685d45424b2998ac1059", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/usb/gadget/udc/renesas_usb3.c"], "versions": [{"version": "4.5", "status": "affected"}, {"version": "0", "lessThan": "4.5", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.136", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.83", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.24", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.14", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0.1", "lessThanOrEqual": "7.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.1-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.5", "versionEndExcluding": "6.6.136"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.5", "versionEndExcluding": "6.12.83"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.5", "versionEndExcluding": "6.18.24"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.5", "versionEndExcluding": "6.19.14"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.5", "versionEndExcluding": "7.0.1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.5", "versionEndExcluding": "7.1-rc1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/1b2bfedccc4fb8c9572e1ea464f905424c91de2a"}, {"url": "https://git.kernel.org/stable/c/adb8014599fdf0818d3d93f1f74e06cd0bdec08d"}, {"url": "https://git.kernel.org/stable/c/44216e3dd4455b798899b50eedb0ec3831dff8e0"}, {"url": "https://git.kernel.org/stable/c/37f430b2240655e6b0199a92aa1057e4d621be51"}, {"url": "https://git.kernel.org/stable/c/e3d42598f2995cdc07b7779874e7c5f8a1b773db"}, {"url": "https://git.kernel.org/stable/c/f880aac8a57ebd92abfa685d45424b2998ac1059"}], "title": "usb: gadget: renesas_usb3: validate endpoint index in standard request handlers", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "FCEFD340-4D12-4082-8086-2A113C4D3AAD", "versionEndExcluding": "6.6.136", "versionStartIncluding": "4.5", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A8BAD957-8E20-401C-A129-DFF3655CA0B7", "versionEndExcluding": "6.12.83", "versionStartIncluding": "6.12", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8126B8B8-6D0B-4443-86C1-672AEE893555", "versionEndExcluding": "6.18.24", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D6A8A074-BBF4-4803-ABED-519A839435BB", "versionEndExcluding": "6.19.14", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "9B5888AB-7403-4335-89E4-21CC0B48366A", "versionEndExcluding": "7.0.1", "versionStartIncluding": "7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: renesas_usb3: validate endpoint index in standard request handlers\n\nThe GET_STATUS and SET/CLEAR_FEATURE handlers extract the endpoint\nnumber from the host-supplied wIndex without any sort of validation.\nFix this up by validating the number of endpoints actually match up with\nthe number the device has before attempting to dereference a pointer\nbased on this math.\n\nThis is just like what was done in commit ee0d382feb44 (\"usb: gadget:\naspeed_udc: validate endpoint index for ast udc\") for the aspeed driver."}], "id": "CVE-2026-31615", "lastModified": "2026-04-28T17:29:26.373", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-24T15:16:40.767", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1b2bfedccc4fb8c9572e1ea464f905424c91de2a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/37f430b2240655e6b0199a92aa1057e4d621be51"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/44216e3dd4455b798899b50eedb0ec3831dff8e0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/adb8014599fdf0818d3d93f1f74e06cd0bdec08d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e3d42598f2995cdc07b7779874e7c5f8a1b773db"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f880aac8a57ebd92abfa685d45424b2998ac1059"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: usb: gadget: renesas_usb3: validate endpoint index in standard request handlers", "id": "2461475", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461475"}, "csaw": false, "cwe": "CWE-1285", "details": ["A flaw was found in the Linux kernel's renesas_usb3 and aspeed_udc drivers. These drivers did not properly validate endpoint index numbers provided by a host during standard USB requests, such as GET_STATUS and SET/CLEAR_FEATURE. This oversight could allow an attacker to provide a crafted endpoint number, potentially leading to an out-of-bounds pointer dereference. Such an issue may result in a denial of service or other unpredictable system behavior."], "name": "CVE-2026-31615", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31615\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31615\nhttps://lore.kernel.org/linux-cve-announce/2026042423-CVE-2026-31615-f19f@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[746bfe63bba37ad55956b7377c9af494e7e28929,1b2bfedccc4fb8c9572e1ea464f905424c91de2a)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[746bfe63bba37ad55956b7377c9af494e7e28929,adb8014599fdf0818d3d93f1f74e06cd0bdec08d)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[746bfe63bba37ad55956b7377c9af494e7e28929,44216e3dd4455b798889b50eedb0ec3831dff8e0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[746bfe63bba37ad55956b7377c9af494e7e28929,37f430b2240655e6b0199a92aa1057e4d621be51)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[746bfe63bba37ad55956b7377c9af494e7e28929,e3d42598f2995cdc07b7779874e7c5f8a1b773db)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[746bfe63bba37ad55956b7377c9af494e7e28929,f880aac8a57ebd92abfa685d45424b2998ac1059)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "4.5"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,4.5)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.136,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.83,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.24,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.14,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0.1,7.1.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.1-rc1,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-29T01:39:03.494256+00:00", "value": {"mitigation_remediation": ["Apply the kernel patch that validates the endpoint index before dereferencing the control\u2011transfer buffer, thereby correcting the index\u2011out\u2011of\u2011bounds bug (CWE\u20111285) and preventing null pointer dereferences (CWE\u2011476).", "If an immediate kernel upgrade is not feasible, temporarily disable the Renesas USB3 gadget driver or disconnect the device from USB hosts until the patch is applied to mitigate the risk of out\u2011of\u2011bounds dereferences.", "Add a module blacklist entry (for example, /etc/modprobe.d/blacklist-renesas_usb3.conf) to prevent automatic loading of the renesas_usb3 driver when the gadget functionality is not required, thereby reducing exposure to the index validation flaw."], "summary": {"action": "Patch immediately", "impact": "Denial of Service (kernel crash)"}, "threat_synthesis": {"affected_systems": "All Linux kernel distributions that ship the renesas_usb3 gadget driver are affected. The flaw applies to kernel releases prior to the commit that introduces endpoint index validation; specific affected kernel versions are not enumerated in the advisory.", "description_and_impact": "The vulnerability exists in the Renesas USB3 gadget driver. The GET_STATUS and SET/CLEAR_FEATURE request handlers extract the endpoint number from the host\u2011supplied wIndex without validating that the number of endpoints matches the device\u2019s actual count. This oversight can cause a pointer dereference in kernel space based on an out\u2011of\u2011range index, leading to a kernel panic or other crash. The result is a loss of the gadget\u2019s functionality and a denial of service to the device.", "risk_and_exploitability": "The CVSS score of 5.5 places this issue in the medium severity range. The EPSS score is below 1\u202f%, indicating a low likelihood that this vulnerability will be exploited in the wild. It is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker could trigger the flaw by sending a USB control request with an invalid wIndex value to the gadget device from a USB host; a successful exploit would cause a kernel crash and a temporary loss of the device\u2019s functionality."}}}}, "created": "2026-04-27T18:45:11.331839+00:00", "updated": "2026-04-29T01:45:26.023924+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}