usbip: validate number_of_packets in usbip_pack_ret_submit()
Summary
| CVE | CVE-2026-31607 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-24 15:16:39 UTC |
| Updated | 2026-06-01 17:16:51 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: usbip: validate number_of_packets in usbip_pack_ret_submit() When a USB/IP client receives a RET_SUBMIT response, usbip_pack_ret_submit() unconditionally overwrites urb->number_of_packets from the network PDU. This value is subsequently used as the loop bound in usbip_recv_iso() and usbip_pad_iso() to iterate over urb->iso_frame_desc[], a flexible array whose size was fixed at URB allocation time based on the *original* number_of_packets from the CMD_SUBMIT. A malicious USB/IP server can set number_of_packets in the response to a value larger than what was originally submitted, causing a heap out-of-bounds write when usbip_recv_iso() writes to urb->iso_frame_desc[i] beyond the allocated region. KASAN confirmed this with kernel 7.0.0-rc5: BUG: KASAN: slab-out-of-bounds in usbip_recv_iso+0x46a/0x640 Write of size 4 at addr ffff888106351d40 by task vhci_rx/69 The buggy address is located 0 bytes to the right of allocated 320-byte region [ffff888106351c00, ffff888106351d40) The server side (stub_rx.c) and gadget side (vudc_rx.c) already validate number_of_packets in the CMD_SUBMIT path since commits c6688ef9f297 ("usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input") and b78d830f0049 ("usbip: fix vudc_rx: harden CMD_SUBMIT path to handle malicious input"). The server side validates against USBIP_MAX_ISO_PACKETS because no URB exists yet at that point. On the client side we have the original URB, so we can use the tighter bound: the response must not exceed the original number_of_packets. This mirrors the existing validation of actual_length against transfer_buffer_length in usbip_recv_xbuff(), which checks the response value against the original allocation size. Kelvin Mbogo's series ("usb: usbip: fix integer overflow in usbip_recv_iso()", v2) hardens the receive-side functions themselves; this patch complements that work by catching the bad value at its source -- in usbip_pack_ret_submit() before the overwrite -- and using the tighter per-URB allocation bound rather than the global USBIP_MAX_ISO_PACKETS limit. Fix this by checking rpdu->number_of_packets against urb->number_of_packets in usbip_pack_ret_submit() before the overwrite. On violation, clamp to zero so that usbip_recv_iso() and usbip_pad_iso() safely return early. |
Risk And Classification
Primary CVSS: v3.1 9.8 CRITICAL from 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS: 0.000180000 probability, percentile 0.048130000 (date 2026-04-27)
Problem Types: CWE-787
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | Secondary | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | CNA | DECLARED | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Linux | Linux Kernel | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected 1325f85fa49f57df034869de430f7c302ae23109 324262c38438255bf6bdbf6342ca47c0badaab76 git | Not specified |
| CNA | Linux | Linux | affected 1325f85fa49f57df034869de430f7c302ae23109 973f2c250289f5bf6cc146b98aa6fdde11fe50d6 git | Not specified |
| CNA | Linux | Linux | affected 1325f85fa49f57df034869de430f7c302ae23109 ce744264b06b97069b3722511ab355738311fee0 git | Not specified |
| CNA | Linux | Linux | affected 1325f85fa49f57df034869de430f7c302ae23109 885c8591784da6314f9aa82fa460ac69f9f79e5f git | Not specified |
| CNA | Linux | Linux | affected 1325f85fa49f57df034869de430f7c302ae23109 8d155e2d1c4102f74f82a2bf9c016164bb0f7384 git | Not specified |
| CNA | Linux | Linux | affected 1325f85fa49f57df034869de430f7c302ae23109 906f16a836de13fe61f49cdce2f66f2dbd14caf4 git | Not specified |
| CNA | Linux | Linux | affected 1325f85fa49f57df034869de430f7c302ae23109 ef8ebb1c637b4cfb61a9dd2e013376774ee2033b git | Not specified |
| CNA | Linux | Linux | affected 1325f85fa49f57df034869de430f7c302ae23109 5e1c4ece08ccdc197177631f111845a2c68eede3 git | Not specified |
| CNA | Linux | Linux | affected 1325f85fa49f57df034869de430f7c302ae23109 2ab833a16a825373aad2ba7d54b572b277e95b71 git | Not specified |
| CNA | Linux | Linux | affected d9638d9236eed035a575feddec61d036dacc2676 git | Not specified |
| CNA | Linux | Linux | affected ca7d3501b7a287c18b5b470e871d3029b0f4842a git | Not specified |
| CNA | Linux | Linux | affected 1ce528277e1a66856ed3f7526c1e3458c0ed4a70 git | Not specified |
| CNA | Linux | Linux | affected db898d0c5c493ce4177d5e1d3a953e079a56a24b git | Not specified |
| CNA | Linux | Linux | affected 5aa02704b9ee67c5b2ee26d54c5f4eb99e93ba9a git | Not specified |
| CNA | Linux | Linux | affected 2.6.32.37 2.6.33 semver | Not specified |
| CNA | Linux | Linux | affected 2.6.33.10 2.6.34 semver | Not specified |
| CNA | Linux | Linux | affected 2.6.34.11 2.6.35 semver | Not specified |
| CNA | Linux | Linux | affected 2.6.35.13 2.6.36 semver | Not specified |
| CNA | Linux | Linux | affected 2.6.38.3 2.6.39 semver | Not specified |
| CNA | Linux | Linux | affected 2.6.39 | Not specified |
| CNA | Linux | Linux | unaffected 2.6.39 semver | Not specified |
| CNA | Linux | Linux | unaffected 5.10.258 5.10.* semver | Not specified |
| CNA | Linux | Linux | unaffected 5.15.209 5.15.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.1.175 6.1.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.136 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.83 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.18.24 6.18.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.19.14 6.19.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.0.1 7.0.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.1-rc1 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/ef8ebb1c637b4cfb61a9dd2e013376774ee2033b | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/ce744264b06b97069b3722511ab355738311fee0 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/2ab833a16a825373aad2ba7d54b572b277e95b71 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/8d155e2d1c4102f74f82a2bf9c016164bb0f7384 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/973f2c250289f5bf6cc146b98aa6fdde11fe50d6 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/5e1c4ece08ccdc197177631f111845a2c68eede3 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/885c8591784da6314f9aa82fa460ac69f9f79e5f | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/324262c38438255bf6bdbf6342ca47c0badaab76 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/906f16a836de13fe61f49cdce2f66f2dbd14caf4 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.