CVE-2026-31607

EUVD-2026-25500

24.04.2026, 15:16

In the Linux kernel, the following vulnerability has been resolved:

usbip: validate number_of_packets in usbip_pack_ret_submit()

When a USB/IP client receives a RET_SUBMIT response,
usbip_pack_ret_submit() unconditionally overwrites
urb->number_of_packets from the network PDU. This value is
subsequently used as the loop bound in usbip_recv_iso() and
usbip_pad_iso() to iterate over urb->iso_frame_desc[], a flexible
array whose size was fixed at URB allocation time based on the
*original* number_of_packets from the CMD_SUBMIT.

A malicious USB/IP server can set number_of_packets in the response
to a value larger than what was originally submitted, causing a heap
out-of-bounds write when usbip_recv_iso() writes to
urb->iso_frame_desc[i] beyond the allocated region.

KASAN confirmed this with kernel 7.0.0-rc5:

  BUG: KASAN: slab-out-of-bounds in usbip_recv_iso+0x46a/0x640
  Write of size 4 at addr ffff888106351d40 by task vhci_rx/69

  The buggy address is located 0 bytes to the right of
   allocated 320-byte region [ffff888106351c00, ffff888106351d40)

The server side (stub_rx.c) and gadget side (vudc_rx.c) already
validate number_of_packets in the CMD_SUBMIT path since commits
c6688ef9f297 ("usbip: fix stub_rx: harden CMD_SUBMIT path to handle
malicious input") and b78d830f0049 ("usbip: fix vudc_rx: harden
CMD_SUBMIT path to handle malicious input"). The server side validates
against USBIP_MAX_ISO_PACKETS because no URB exists yet at that point.
On the client side we have the original URB, so we can use the tighter
bound: the response must not exceed the original number_of_packets.

This mirrors the existing validation of actual_length against
transfer_buffer_length in usbip_recv_xbuff(), which checks the
response value against the original allocation size.

Kelvin Mbogo's series ("usb: usbip: fix integer overflow in
usbip_recv_iso()", v2) hardens the receive-side functions themselves;
this patch complements that work by catching the bad value at its
source -- in usbip_pack_ret_submit() before the overwrite -- and
using the tighter per-URB allocation bound rather than the global
USBIP_MAX_ISO_PACKETS limit.

Fix this by checking rpdu->number_of_packets against
urb->number_of_packets in usbip_pack_ret_submit() before the
overwrite. On violation, clamp to zero so that usbip_recv_iso() and
usbip_pad_iso() safely return early.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 27%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	2.6.39 ≤ 𝑥 < 6.6.136
linux	linux_kernel	6.7 ≤ 𝑥 < 6.12.83
linux	linux_kernel	6.13 ≤ 𝑥 < 6.18.24
linux	linux_kernel	6.19 ≤ 𝑥 < 6.19.14
linux	linux_kernel	7.0 ≤ 𝑥 < 7.0.1

𝑥

= Vulnerable software versions

openSUSE / SLES Releases

openSUSE Product

Release

cluster-md-kmp-default

suse enterprise server 12 SP5	4.12.14-122.310.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.112.1 fixed

dlm-kmp-default

suse enterprise server 12 SP5	4.12.14-122.310.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.112.1 fixed

gfs2-kmp-default

suse enterprise server 12 SP5	4.12.14-122.310.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.112.1 fixed

kernel-64kb

suse enterprise server 15 SP4	5.14.21-150400.24.219.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.112.1 fixed

kernel-default

suse enterprise server 12 SP5	4.12.14-122.310.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.219.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.112.1 fixed

kernel-default-base

suse enterprise server 12 SP5	4.12.14-122.310.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.219.1.150400.24.110.2 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.112.1.150600.12.52.1 fixed

kernel-default-man

suse enterprise server 12 SP5

4.12.14-122.310.1

fixed

kernel-docs

suse enterprise server 15 SP4	5.14.21-150400.24.219.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.112.1 fixed

kernel-macros

suse enterprise server 12 SP5	4.12.14-122.310.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.219.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.112.1 fixed

kernel-obs-build

suse enterprise server 15 SP4	5.14.21-150400.24.219.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.112.1 fixed

kernel-source

suse enterprise server 12 SP5	4.12.14-122.310.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.219.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.112.1 fixed

kernel-syms

suse enterprise server 12 SP5	4.12.14-122.310.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.219.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.112.1 fixed

kernel-zfcpdump

suse enterprise server 15 SP4	5.14.21-150400.24.219.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.112.1 fixed

ocfs2-kmp-default

suse enterprise server 12 SP5	4.12.14-122.310.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.112.1 fixed

reiserfs-kmp-default

suse enterprise server 15 SP4	5.14.21-150400.24.219.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.112.1 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

kernel

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-64k

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-64k-core

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-64k-debug

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-64k-debug-core

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-64k-debug-devel

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-64k-debug-devel-matched

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-64k-debug-modules

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-64k-debug-modules-core

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-64k-debug-modules-extra

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-64k-devel

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-64k-devel-matched

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-64k-modules

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-64k-modules-core

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-64k-modules-extra

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-abi-stablelists

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-core

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-debug

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-debug-core

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-debug-devel

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-debug-devel-matched

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-debug-modules

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-debug-modules-core

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-debug-modules-extra

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-debug-uki-virt

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-devel

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-devel-matched

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-doc

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-modules

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-modules-core

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-modules-extra

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-rt

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-rt-64k

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-rt-64k-core

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-rt-64k-debug

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-rt-64k-debug-core

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-rt-64k-debug-devel

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-rt-64k-debug-modules

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-rt-64k-debug-modules-core

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-rt-64k-debug-modules-extra

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-rt-64k-devel

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-rt-64k-modules

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-rt-64k-modules-core

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-rt-64k-modules-extra

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-rt-core

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-rt-debug

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-rt-debug-core

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-rt-debug-devel

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-rt-debug-modules

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-rt-debug-modules-core

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-rt-debug-modules-extra

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-rt-devel

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-rt-modules

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-rt-modules-core

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-rt-modules-extra

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-tools

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-tools-libs

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-tools-libs-devel

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-uki-virt

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-uki-virt-addons

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-zfcpdump

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-zfcpdump-core

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-zfcpdump-devel

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-zfcpdump-devel-matched

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-zfcpdump-modules

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-zfcpdump-modules-core

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

kernel-zfcpdump-modules-extra

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

libperf

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

perf

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

python3-perf

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

rtla

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

RHEL 9

0:5.14.0-687.10.1.el9_8

fixed

Amazon Linux Releases

Amazon Package

Release

bpftool6.12

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

bpftool6.12-debuginfo

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

bpftool6.18

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

bpftool6.18-debuginfo

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

kernel-livepatch-6.12.83-113.160

Amazon Linux 2023

1:1.0-0.amzn2023

fixed

kernel-livepatch-6.18.25-55.108

Amazon Linux 2023

1:1.0-0.amzn2023

fixed

kernel6.12

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

kernel6.12-debuginfo

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

kernel6.12-debuginfo-common-aarch64

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

kernel6.12-debuginfo-common-x86_64

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

kernel6.12-devel

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

kernel6.12-headers

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

kernel6.12-modules-extra

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

kernel6.12-modules-extra-common

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

kernel6.12-tools

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

kernel6.12-tools-debuginfo

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

kernel6.12-tools-devel

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

kernel6.18

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

kernel6.18-debuginfo

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

kernel6.18-debuginfo-common-aarch64

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

kernel6.18-debuginfo-common-x86_64

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

kernel6.18-devel

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

kernel6.18-headers

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

kernel6.18-modules-extra

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

kernel6.18-modules-extra-common

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

kernel6.18-tools

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

kernel6.18-tools-debuginfo

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

kernel6.18-tools-devel

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

perf6.12

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

perf6.12-debuginfo

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

perf6.18

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

perf6.18-debuginfo

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

python3-perf6.12

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

python3-perf6.12-debuginfo

Amazon Linux 2023

1:6.12.83-113.160.amzn2023

fixed

python3-perf6.18

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

python3-perf6.18-debuginfo

Amazon Linux 2023

1:6.18.25-55.108.amzn2023

fixed

Azure Linux Releases

Azure Package

Release

kernel

Azure Linux 3.0

0:6.6.137.1-1.azl3

fixed

Common Weakness Enumeration

CWE-787 - Out-of-bounds Write
The software writes data past the end, or before the beginning, of the intended buffer.

Vulnerability Media Exposure

[GERMAN] Linux Kernel: Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um nicht näher spezifizierte Angriffe durchzuführen, welche zu einem Denial-of-Service-Zustand, einer Rechteausweitung, der Ausführung von Code oder einer Speicherbeschädigung führen könnten.
Published: 2026-04-26T22:00:00+00:00

References

https://git.kernel.org/stable/c/2ab833a16a825373aad2ba7d54b572b277e95b71

https://git.kernel.org/stable/c/324262c38438255bf6bdbf6342ca47c0badaab76

https://git.kernel.org/stable/c/5e1c4ece08ccdc197177631f111845a2c68eede3

https://git.kernel.org/stable/c/885c8591784da6314f9aa82fa460ac69f9f79e5f

https://git.kernel.org/stable/c/8d155e2d1c4102f74f82a2bf9c016164bb0f7384

https://git.kernel.org/stable/c/906f16a836de13fe61f49cdce2f66f2dbd14caf4

https://git.kernel.org/stable/c/973f2c250289f5bf6cc146b98aa6fdde11fe50d6

https://git.kernel.org/stable/c/ce744264b06b97069b3722511ab355738311fee0

https://git.kernel.org/stable/c/ef8ebb1c637b4cfb61a9dd2e013376774ee2033b