CVE-2026-31607CRITICAL 9.8EPSS p42.9%
CVE-2026-31607CVE-2026-31607
linux / linux_kernel
Description
In the Linux kernel, the following vulnerability has been resolved:
usbip: validate number_of_packets in usbip_pack_ret_submit()
When a USB/IP client receives a RET_SUBMIT response,
usbip_pack_ret_submit() unconditionally overwrites
urb->number_of_packets from the network PDU. This value is
subsequently used as the loop bound in usbip_recv_iso() and
usbip_pad_iso() to iterate over urb->iso_frame_desc[], a flexible
array whose size was fixed at URB allocation time based on the
*original* number_of_packets from the CMD_SUBMIT.
A malicious USB/IP server can set number_of_packets in the response
to a value larger than what was originally submitted, causing a heap
out-of-bounds write when usbip_recv_iso() writes to
urb->iso_frame_desc[i] beyond the allocated region.
KASAN confirmed this with kernel 7.0.0-rc5:
BUG: KASAN: slab-out-of-bounds in usbip_recv_iso+0x46a/0x640
Write of size 4 at addr ffff888106351d40 by task vhci_rx/69
The buggy address is located 0 bytes to the right o
Scoring
| CVSS 3.1 | 9.8 (CRITICAL) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| EPSS | 0.58% probability of exploitation · percentile 42.9% · 2026-06-18T12:00:27Z |
| Published | 2026-04-24 |
| Last modified | 2026-06-01 |
Underlying weaknesses· 1
References
- https://git.kernel.org/stable/c/2ab833a16a825373aad2ba7d54b572b277e95b71
- https://git.kernel.org/stable/c/5e1c4ece08ccdc197177631f111845a2c68eede3
- https://git.kernel.org/stable/c/885c8591784da6314f9aa82fa460ac69f9f79e5f
- https://git.kernel.org/stable/c/8d155e2d1c4102f74f82a2bf9c016164bb0f7384
- https://git.kernel.org/stable/c/906f16a836de13fe61f49cdce2f66f2dbd14caf4
- https://git.kernel.org/stable/c/ef8ebb1c637b4cfb61a9dd2e013376774ee2033b
1
| Type | Target | Confidence | Tier |
|---|---|---|---|
| Weakness | Out-of-bounds Writecwe-787 | 0% | live |
Related by meaning· 6
Nearest entities by semantic similarity across the cs-graph corpus.