{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31623", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.124Z", "datePublished": "2026-04-24T14:42:40.566Z", "dateUpdated": "2026-05-11T22:12:23.408Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:12:23.408Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()\n\nA malicious USB device claiming to be a CDC Phonet modem can overflow\nthe skb_shared_info->frags[] array by sending an unbounded sequence of\nfull-page bulk transfers.\n\nDrop the skb and increment the length error when the frag limit is\nreached. This matches the same fix that commit f0813bcd2d9d (\"net:\nwwan: t7xx: fix potential skb->frags overflow in RX path\") did for the\nt7xx driver."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/usb/cdc-phonet.c"], "versions": [{"version": "87cf65601e1709e57f7e28f0f7b3eb0a992c1782", "lessThan": "d4e1946bea8d6441835eb3fd09b19237ba366a6f", "status": "affected", "versionType": "git"}, {"version": "87cf65601e1709e57f7e28f0f7b3eb0a992c1782", "lessThan": "a23b1b1aaf41e174181d5853a70e65d4d01e648c", "status": "affected", "versionType": "git"}, {"version": "87cf65601e1709e57f7e28f0f7b3eb0a992c1782", "lessThan": "c183d5775129a0a7495bd61a6e57ec230dcf01e5", "status": "affected", "versionType": "git"}, {"version": "87cf65601e1709e57f7e28f0f7b3eb0a992c1782", "lessThan": "ebf75c6301c4972a87542ebf2d994c6391eb5d46", "status": "affected", "versionType": "git"}, {"version": "87cf65601e1709e57f7e28f0f7b3eb0a992c1782", "lessThan": "9989938d13cc5ba8447eeed5a61acfcf61bc6801", "status": "affected", "versionType": "git"}, {"version": "87cf65601e1709e57f7e28f0f7b3eb0a992c1782", "lessThan": "600dc40554dc5ad1e6f3af51f700228033f43ea7", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/usb/cdc-phonet.c"], "versions": [{"version": "2.6.31", "status": "affected"}, {"version": "0", "lessThan": "2.6.31", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.136", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.83", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.24", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.14", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0.1", "lessThanOrEqual": "7.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.1-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.31", "versionEndExcluding": "6.6.136"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.31", "versionEndExcluding": "6.12.83"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.31", "versionEndExcluding": "6.18.24"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.31", "versionEndExcluding": "6.19.14"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.31", "versionEndExcluding": "7.0.1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.31", "versionEndExcluding": "7.1-rc1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/d4e1946bea8d6441835eb3fd09b19237ba366a6f"}, {"url": "https://git.kernel.org/stable/c/a23b1b1aaf41e174181d5853a70e65d4d01e648c"}, {"url": "https://git.kernel.org/stable/c/c183d5775129a0a7495bd61a6e57ec230dcf01e5"}, {"url": "https://git.kernel.org/stable/c/ebf75c6301c4972a87542ebf2d994c6391eb5d46"}, {"url": "https://git.kernel.org/stable/c/9989938d13cc5ba8447eeed5a61acfcf61bc6801"}, {"url": "https://git.kernel.org/stable/c/600dc40554dc5ad1e6f3af51f700228033f43ea7"}], "title": "net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "F537DD4C-1540-41DE-85CB-6B14F7030A5F", "versionEndExcluding": "6.6.136", "versionStartIncluding": "2.6.31", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8", "versionEndExcluding": "6.12.83", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8126B8B8-6D0B-4443-86C1-672AEE893555", "versionEndExcluding": "6.18.24", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D6A8A074-BBF4-4803-ABED-519A839435BB", "versionEndExcluding": "6.19.14", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "9B5888AB-7403-4335-89E4-21CC0B48366A", "versionEndExcluding": "7.0.1", "versionStartIncluding": "7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()\n\nA malicious USB device claiming to be a CDC Phonet modem can overflow\nthe skb_shared_info->frags[] array by sending an unbounded sequence of\nfull-page bulk transfers.\n\nDrop the skb and increment the length error when the frag limit is\nreached. This matches the same fix that commit f0813bcd2d9d (\"net:\nwwan: t7xx: fix potential skb->frags overflow in RX path\") did for the\nt7xx driver."}], "id": "CVE-2026-31623", "lastModified": "2026-04-28T14:17:26.380", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-24T15:16:41.587", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/600dc40554dc5ad1e6f3af51f700228033f43ea7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9989938d13cc5ba8447eeed5a61acfcf61bc6801"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/a23b1b1aaf41e174181d5853a70e65d4d01e648c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c183d5775129a0a7495bd61a6e57ec230dcf01e5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d4e1946bea8d6441835eb3fd09b19237ba366a6f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ebf75c6301c4972a87542ebf2d994c6391eb5d46"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-120"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()", "id": "2461478", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461478"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-120", "details": ["A flaw was found in the Linux kernel's cdc-phonet driver. A malicious USB device, pretending to be a CDC Phonet modem, can exploit this vulnerability by sending an unlimited number of large data transfers. This can cause an overflow in the kernel's internal data buffer (skb_shared_info->frags[] array), leading to a Denial of Service (DoS) condition where the system may become unresponsive or crash."], "name": "CVE-2026-31623", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Under investigation", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31623\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31623\nhttps://lore.kernel.org/linux-cve-announce/2026042426-CVE-2026-31623-64d8@gregkh/T"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[87cf65601e1709e57f7e28f0f7b3eb0a992c1782,d4e1946bea8d6441835eb3fd09b19237ba366a6f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[87cf65601e1709e57f7e28f0f7b3eb0a992c1782,a23b1b1aaf41e174181d5853a70e65d4d01e648c)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[87cf65601e1709e57f7e28f0f7b3eb0a992c1782,c183d5775129a0a7495bd61a6e57ec230dcf01e5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[87cf65601e1709e57f7e28f0f7b3eb0a992c1782,ebf75c6301c4972a87542ebf2d994c6391eb5d46)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[87cf65601e1709e57f7e28f0f7b3eb0a992c1782,9989938d13cc5ba8447eeed5a61acfcf61bc6801)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[87cf65601e1709e57f7e28f0f7b3eb0a992c1782,600dc40554dc5ad1e6f3af51f700228033f43ea7)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.6.31"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,2.6.31)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.136,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.83,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.24,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.14,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0.1,8.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.1-rc1,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T20:09:09.593308+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that includes the fix for commit 600dc405", "If an upgrade is not immediately possible, unload the cdc_phonet module with \"modprobe -r cdc_phonet\" or blacklist it in modules.conf to prevent the driver from loading", "Apply stricter USB device restrictions, such as limiting USB host controller access or blocking untrusted CDC\u2011Phonet devices with udev rules"], "summary": {"action": "Patch Immediately", "impact": "Memory corruption leading to potential privilege escalation or remote code execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all Linux kernel versions prior to the application of the fix contained in commit 600dc405 and related patches. All standard kernel distributions that include the cdc_phonet driver are impacted, regardless of edition, unless the module has been removed or the kernel has been updated to a version containing the fix.", "description_and_impact": "A malicious USB device masquerading as a CDC Phonet modem can send an unbounded sequence of full\u2011page bulk transfers, which causes an overflow of the skb_shared_info->frags array within the Linux kernel's CDC\u2011Phonet driver. The overflow can corrupt kernel memory, potentially allowing an attacker to execute arbitrary code with kernel privileges or to crash the system.", "risk_and_exploitability": "The CVSS score of 5.5 indicates a medium impact, while the EPSS score of less than 1% suggests a low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a local attacker who can physically attach a malicious USB device to the target system. Because the flaw resides in kernel memory handling, successful exploitation could lead to privilege escalation or denial of service. The patch mitigates the overflow by dropping the skb and recording a length error when the fragment limit is reached, but systems running unpatched kernels remain at risk."}}}}, "created": "2026-04-27T18:45:11.328741+00:00", "updated": "2026-04-28T20:15:26.822921+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}