{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31616", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.123Z", "datePublished": "2026-04-24T14:42:35.480Z", "dateUpdated": "2026-05-11T22:12:15.268Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:12:15.268Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()\n\nA broken/bored/mean USB host can overflow the skb_shared_info->frags[]\narray on a Linux gadget exposing a Phonet function by sending an\nunbounded sequence of full-page OUT transfers.\n\npn_rx_complete() finalizes the skb only when req->actual < req->length,\nwhere req->length is set to PAGE_SIZE by the gadget. If the host always\nsends exactly PAGE_SIZE bytes per transfer, fp->rx.skb will never be\nreset and each completion will add another fragment via\nskb_add_rx_frag(). Once nr_frags exceeds MAX_SKB_FRAGS (default 17),\nsubsequent frag stores overwrite memory adjacent to the shinfo on the\nheap.\n\nDrop the skb and account a length error when the frag limit is reached,\nmatching the fix applied in t7xx by commit f0813bcd2d9d (\"net: wwan:\nt7xx: fix potential skb->frags overflow in RX path\")."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/usb/gadget/function/f_phonet.c"], "versions": [{"version": "b91cd1440870f7a0649e570498b7b93caf9f781c", "lessThan": "9ceff1251904901b0b4e5fe6350fcaffa368ce83", "status": "affected", "versionType": "git"}, {"version": "b91cd1440870f7a0649e570498b7b93caf9f781c", "lessThan": "c9315ce9da3632c591666a29de82d3e92d46bec1", "status": "affected", "versionType": "git"}, {"version": "b91cd1440870f7a0649e570498b7b93caf9f781c", "lessThan": "4e476c25bfcab0535ba7c76a903ae77ca8747711", "status": "affected", "versionType": "git"}, {"version": "b91cd1440870f7a0649e570498b7b93caf9f781c", "lessThan": "bd44ce09b9b569f49ed13e2d87d23d853fc7d6a7", "status": "affected", "versionType": "git"}, {"version": "b91cd1440870f7a0649e570498b7b93caf9f781c", "lessThan": "66f7471c4042e4eb300e30b5b9d87d1406862673", "status": "affected", "versionType": "git"}, {"version": "b91cd1440870f7a0649e570498b7b93caf9f781c", "lessThan": "c088d5dd2fffb4de1fb8e7f57751c8b82942180a", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/usb/gadget/function/f_phonet.c"], "versions": [{"version": "2.6.32", "status": "affected"}, {"version": "0", "lessThan": "2.6.32", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.136", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.83", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.24", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.14", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0.1", "lessThanOrEqual": "7.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.1-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.32", "versionEndExcluding": "6.6.136"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.32", "versionEndExcluding": "6.12.83"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.32", "versionEndExcluding": "6.18.24"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.32", "versionEndExcluding": "6.19.14"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.32", "versionEndExcluding": "7.0.1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.32", "versionEndExcluding": "7.1-rc1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/9ceff1251904901b0b4e5fe6350fcaffa368ce83"}, {"url": "https://git.kernel.org/stable/c/c9315ce9da3632c591666a29de82d3e92d46bec1"}, {"url": "https://git.kernel.org/stable/c/4e476c25bfcab0535ba7c76a903ae77ca8747711"}, {"url": "https://git.kernel.org/stable/c/bd44ce09b9b569f49ed13e2d87d23d853fc7d6a7"}, {"url": "https://git.kernel.org/stable/c/66f7471c4042e4eb300e30b5b9d87d1406862673"}, {"url": "https://git.kernel.org/stable/c/c088d5dd2fffb4de1fb8e7f57751c8b82942180a"}], "title": "usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B5320F96-8216-44DE-B8AC-7694F1E2D98E", "versionEndExcluding": "6.6.136", "versionStartIncluding": "2.6.32", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8", "versionEndExcluding": "6.12.83", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8126B8B8-6D0B-4443-86C1-672AEE893555", "versionEndExcluding": "6.18.24", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D6A8A074-BBF4-4803-ABED-519A839435BB", "versionEndExcluding": "6.19.14", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "9B5888AB-7403-4335-89E4-21CC0B48366A", "versionEndExcluding": "7.0.1", "versionStartIncluding": "7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()\n\nA broken/bored/mean USB host can overflow the skb_shared_info->frags[]\narray on a Linux gadget exposing a Phonet function by sending an\nunbounded sequence of full-page OUT transfers.\n\npn_rx_complete() finalizes the skb only when req->actual < req->length,\nwhere req->length is set to PAGE_SIZE by the gadget. If the host always\nsends exactly PAGE_SIZE bytes per transfer, fp->rx.skb will never be\nreset and each completion will add another fragment via\nskb_add_rx_frag(). Once nr_frags exceeds MAX_SKB_FRAGS (default 17),\nsubsequent frag stores overwrite memory adjacent to the shinfo on the\nheap.\n\nDrop the skb and account a length error when the frag limit is reached,\nmatching the fix applied in t7xx by commit f0813bcd2d9d (\"net: wwan:\nt7xx: fix potential skb->frags overflow in RX path\")."}], "id": "CVE-2026-31616", "lastModified": "2026-04-28T17:21:15.470", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-24T15:16:40.870", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/4e476c25bfcab0535ba7c76a903ae77ca8747711"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/66f7471c4042e4eb300e30b5b9d87d1406862673"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9ceff1251904901b0b4e5fe6350fcaffa368ce83"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/bd44ce09b9b569f49ed13e2d87d23d853fc7d6a7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c088d5dd2fffb4de1fb8e7f57751c8b82942180a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c9315ce9da3632c591666a29de82d3e92d46bec1"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()", "id": "2461529", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461529"}, "csaw": false, "cwe": "CWE-787", "details": ["A flaw was found in the Linux kernel's USB gadget Phonet function. A remote attacker, acting as a malicious USB host, could exploit this vulnerability by sending a continuous stream of full-page data transfers. This action causes an overflow in the kernel's internal data structures, leading to memory corruption. This memory corruption could result in a denial of service or potentially allow for arbitrary code execution."], "name": "CVE-2026-31616", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31616\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31616\nhttps://lore.kernel.org/linux-cve-announce/2026042423-CVE-2026-31616-ace5@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b91cd1440870f7a0649e570498b7b93caf9f781c,9ceff1251904901b0b4e5fe6350fcaffa368ce83)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b91cd1440870f7a0649e570498b7b93caf9f781c,c9315ce9da3632c591666a29de82d3e92d46bec1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b91cd1440870f7a0649e570498b7b93caf9f781c,4e476c25bfcab0535ba7c76a903ae77ca8747711)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b91cd1440870f7a0649e570498b7b93caf9f781c,bd44ce09b9b569f49ed13e2d87d23d853fc7d6a7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b91cd1440870f7a0649e570498b7b93caf9f781c,66f7471c4042e4eb300e30b5b9d87d1406862673)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b91cd1440870f7a0649e570498b7b93caf9f781c,c088d5dd2fffb4de1fb8e7f57751c8b82942180a)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.6.32"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,2.6.32)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.136,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.83,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.24,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.14,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0.1,*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.1-rc1,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T23:38:48.343038+00:00", "value": {"mitigation_remediation": ["Apply the kernel patch that guards against skb fragmentation overflow in the Phonet driver (commit f0813bcd2d9d).", "If a kernel update cannot be applied immediately, disable or remove the Phonet gadget module from the kernel configuration to eliminate the vulnerable code path.", "Restrict USB host access to the gadget device, for example by disabling OTG on untrusted interfaces or configuring udev rules to limit enumeration to trusted hosts."], "summary": {"action": "Apply patch", "impact": "Memory corruption"}, "threat_synthesis": {"affected_systems": "All Linux kernel builds that include the Phonet gadget driver are affected. The vendor is the Linux kernel project. No specific version information is provided, so any kernel containing the unpatched driver may be vulnerable. Devices that expose Phonet functionality and connect to a USB host capable of sending numerous full\u2011page OUT transfers are within scope.", "description_and_impact": "A flaw in the Linux kernel USB gadget Phonet driver allows an attacker to send a sequence of full-page OUT transfers that causes the kernel\u2019s skb_shared_info->frags array to overflow. Each transfer adds a fragment and once the number of fragments exceeds MAX_SKB_FRAGS (default 17), subsequent fragment stores overwrite memory adjacent to the sk_buff helper structure. This results in an out\u2011of\u2011bounds write (CWE\u2011787) and can lead to memory corruption. The kernel also drops the skb and reports a length error when the limit is reached, preventing a memory leak (CWE\u2011401).\n\nThe vulnerability exists in any Linux kernel that includes the Phonet gadget driver. No specific kernel version is listed, so all builds containing the unpatched driver are considered vulnerable. The exploit is limited to devices exposing Phonet functionality and interacting with USB hosts capable of sending crafted OUT packets.\n\nThe CVSS score of 5.5 denotes medium severity, and the EPSS score of less than 1% indicates a very low likelihood of exploitation at present. The vulnerability is not in CISA KEV. Exploitation requires a USB host that can communicate with the gadget and send exact PAGE_SIZE bytes on each transfer, so the attack vector is local and requires physical or logical access to the USB interface.", "risk_and_exploitability": "With a CVSS score of 5.5 the vulnerability rates as medium severity, and the EPSS score of less than 1% suggests exploitation chances are minimal. The vulnerability is not listed in the CISA KEV catalog. Because the overflow occurs only when a host sends a sequence of full\u2011page OUT transfers that exceed the fragment limit, the required conditions involve a USB host with direct access to the gadget. Successful exploitation could corrupt kernel memory, potentially leading to kernel crashes or privilege escalation, but no confirmed remote code execution is documented."}}}}, "created": "2026-04-27T20:30:12.049512+00:00", "updated": "2026-04-28T23:45:16.057321+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}