usbip: validate number_of_packets in usbip_pack_ret_submit()
Summary
| CVE | CVE-2026-31607 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-24 15:16:39 UTC |
| Updated | 2026-06-30 03:18:25 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: usbip: validate number_of_packets in usbip_pack_ret_submit() When a USB/IP client receives a RET_SUBMIT response, usbip_pack_ret_submit() unconditionally overwrites urb->number_of_packets from the network PDU. This value is subsequently used as the loop bound in usbip_recv_iso() and usbip_pad_iso() to iterate over urb->iso_frame_desc[], a flexible array whose size was fixed at URB allocation time based on the *original* number_of_packets from the CMD_SUBMIT. A malicious USB/IP server can set number_of_packets in the response to a value larger than what was originally submitted, causing a heap out-of-bounds write when usbip_recv_iso() writes to urb->iso_frame_desc[i] beyond the allocated region. KASAN confirmed this with kernel 7.0.0-rc5: BUG: KASAN: slab-out-of-bounds in usbip_recv_iso+0x46a/0x640 Write of size 4 at addr ffff888106351d40 by task vhci_rx/69 The buggy address is located 0 bytes to the right of allocated 320-byte region [ffff888106351c00, ffff888106351d40) The server side (stub_rx.c) and gadget side (vudc_rx.c) already validate number_of_packets in the CMD_SUBMIT path since commits c6688ef9f297 ("usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input") and b78d830f0049 ("usbip: fix vudc_rx: harden CMD_SUBMIT path to handle malicious input"). The server side validates against USBIP_MAX_ISO_PACKETS because no URB exists yet at that point. On the client side we have the original URB, so we can use the tighter bound: the response must not exceed the original number_of_packets. This mirrors the existing validation of actual_length against transfer_buffer_length in usbip_recv_xbuff(), which checks the response value against the original allocation size. Kelvin Mbogo's series ("usb: usbip: fix integer overflow in usbip_recv_iso()", v2) hardens the receive-side functions themselves; this patch complements that work by catching the bad value at its source -- in usbip_pack_ret_submit() before the overwrite -- and using the tighter per-URB allocation bound rather than the global USBIP_MAX_ISO_PACKETS limit. Fix this by checking rpdu->number_of_packets against urb->number_of_packets in usbip_pack_ret_submit() before the overwrite. On violation, clamp to zero so that usbip_recv_iso() and usbip_pad_iso() safely return early. |
Risk And Classification
Primary CVSS: v3.1 7.3 HIGH from ADP
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H
EPSS: 0.000180000 probability, percentile 0.048130000 (date 2026-04-27)
Problem Types: CWE-787 | CWE-805 | CWE-805 Buffer Access with Incorrect Length Value
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | CVSS | 7.3 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H |
| 3.1 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | Secondary | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 7.3 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H |
| 3.1 | CNA | DECLARED | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVSS v3.1 Breakdown
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Linux | Linux Kernel | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected 1325f85fa49f57df034869de430f7c302ae23109 324262c38438255bf6bdbf6342ca47c0badaab76 git | Not specified |
| CNA | Linux | Linux | affected 1325f85fa49f57df034869de430f7c302ae23109 973f2c250289f5bf6cc146b98aa6fdde11fe50d6 git | Not specified |
| CNA | Linux | Linux | affected 1325f85fa49f57df034869de430f7c302ae23109 ce744264b06b97069b3722511ab355738311fee0 git | Not specified |
| CNA | Linux | Linux | affected 1325f85fa49f57df034869de430f7c302ae23109 885c8591784da6314f9aa82fa460ac69f9f79e5f git | Not specified |
| CNA | Linux | Linux | affected 1325f85fa49f57df034869de430f7c302ae23109 8d155e2d1c4102f74f82a2bf9c016164bb0f7384 git | Not specified |
| CNA | Linux | Linux | affected 1325f85fa49f57df034869de430f7c302ae23109 906f16a836de13fe61f49cdce2f66f2dbd14caf4 git | Not specified |
| CNA | Linux | Linux | affected 1325f85fa49f57df034869de430f7c302ae23109 ef8ebb1c637b4cfb61a9dd2e013376774ee2033b git | Not specified |
| CNA | Linux | Linux | affected 1325f85fa49f57df034869de430f7c302ae23109 5e1c4ece08ccdc197177631f111845a2c68eede3 git | Not specified |
| CNA | Linux | Linux | affected 1325f85fa49f57df034869de430f7c302ae23109 2ab833a16a825373aad2ba7d54b572b277e95b71 git | Not specified |
| CNA | Linux | Linux | affected d9638d9236eed035a575feddec61d036dacc2676 git | Not specified |
| CNA | Linux | Linux | affected ca7d3501b7a287c18b5b470e871d3029b0f4842a git | Not specified |
| CNA | Linux | Linux | affected 1ce528277e1a66856ed3f7526c1e3458c0ed4a70 git | Not specified |
| CNA | Linux | Linux | affected db898d0c5c493ce4177d5e1d3a953e079a56a24b git | Not specified |
| CNA | Linux | Linux | affected 5aa02704b9ee67c5b2ee26d54c5f4eb99e93ba9a git | Not specified |
| CNA | Linux | Linux | affected 2.6.32.37 2.6.33 semver | Not specified |
| CNA | Linux | Linux | affected 2.6.33.10 2.6.34 semver | Not specified |
| CNA | Linux | Linux | affected 2.6.34.11 2.6.35 semver | Not specified |
| CNA | Linux | Linux | affected 2.6.35.13 2.6.36 semver | Not specified |
| CNA | Linux | Linux | affected 2.6.38.3 2.6.39 semver | Not specified |
| CNA | Linux | Linux | affected 2.6.39 | Not specified |
| CNA | Linux | Linux | unaffected 2.6.39 semver | Not specified |
| CNA | Linux | Linux | unaffected 5.10.258 5.10.* semver | Not specified |
| CNA | Linux | Linux | unaffected 5.15.209 5.15.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.1.175 6.1.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.136 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.83 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.18.24 6.18.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.19.14 6.19.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.0.1 7.0.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.1 * original_commit_for_fix | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux Server V. 7 ELS | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux Server Optional V. 7 ELS | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AppStream EUS V. 10.0 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AppStream V. 10 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AppStream EUS V.9.6 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AppStream V. 9 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux BaseOS EUS V. 10.0 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux BaseOS V. 10 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux BaseOS EUS V.9.6 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux BaseOS V. 9 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux CodeReady Linux Builder EUS V. 10.0 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux CodeReady Linux Builder V. 10 | Not specified | Not specified |
| ADP | Red Hat | Red Hat CodeReady Linux Builder EUS V.9.6 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux CodeReady Linux Builder V. 9 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux Real Time For NFV EUS V. 10.0 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux Real Time For NFV V. 10 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux Real Time For NFV EUS V.9.6 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux Real Time For NFV V. 9 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux Real Time EUS V. 10.0 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux Real Time V. 10 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux Real Time EUS V.9.6 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux Real Time V. 9 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 9 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 6 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 8 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/ef8ebb1c637b4cfb61a9dd2e013376774ee2033b | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| access.redhat.com/errata/RHSA-2026:19568 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| access.redhat.com/errata/RHSA-2026:23224 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/security/cve/CVE-2026-31607 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:24343 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| git.kernel.org/stable/c/ce744264b06b97069b3722511ab355738311fee0 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/2ab833a16a825373aad2ba7d54b572b277e95b71 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| access.redhat.com/errata/RHSA-2026:25095 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| git.kernel.org/stable/c/8d155e2d1c4102f74f82a2bf9c016164bb0f7384 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/973f2c250289f5bf6cc146b98aa6fdde11fe50d6 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/5e1c4ece08ccdc197177631f111845a2c68eede3 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/885c8591784da6314f9aa82fa460ac69f9f79e5f | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-31607.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| git.kernel.org/stable/c/324262c38438255bf6bdbf6342ca47c0badaab76 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| access.redhat.com/errata/RHSA-2026:19569 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| git.kernel.org/stable/c/906f16a836de13fe61f49cdce2f66f2dbd14caf4 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-04-24T00:00:00.000Z | Reported to Red Hat. |
| ADP | 2026-04-24T00:00:00.000Z | Made public. |
Solutions
ADP: RHSA-2026:25095: Red Hat Enterprise Linux Server (v. 7 ELS), Red Hat Enterprise Linux Server Optional (v. 7 ELS)
ADP: RHSA-2026:24343: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux BaseOS EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0), Red Hat Enterprise Linux Real Time EUS (v. 10.0), Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)
ADP: RHSA-2026:19569: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux Real Time (v. 10), Red Hat Enterprise Linux Real Time for NFV (v. 10)
ADP: RHSA-2026:23224: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6), Red Hat Enterprise Linux Real Time EUS (v.9.6), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)
ADP: RHSA-2026:19568: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux Real Time (v. 9), Red Hat Enterprise Linux Real Time for NFV (v. 9)