CVE-2026-31617

EUVD-2026-25510

24.04.2026, 15:16

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()

The block_len read from the host-supplied NTB header is checked against
ntb_max but has no lower bound. When block_len is smaller than
opts->ndp_size, the bounds check of:
	ndp_index > (block_len - opts->ndp_size)
will underflow producing a huge unsigned value that ndp_index can never
exceed, defeating the check entirely.

The same underflow occurs in the datagram index checks against block_len
- opts->dpe_size.  With those checks neutered, a malicious USB host can
choose ndp_index and datagram offsets that point past the actual
transfer, and the skb_put_data() copies adjacent kernel memory into the
network skb.

Fix this by rejecting block lengths that cannot hold at least the NTB
header plus one NDP.  This will make block_len - opts->ndp_size and
block_len - opts->dpe_size both well-defined.

Commit 8d2b1a1ec9f5 ("CDC-NCM: avoid overflow in sanity checking") fixed
a related class of issues on the host side of NCM.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 2%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	5.9 ≤ 𝑥 < 6.6.136
linux	linux_kernel	6.12 ≤ 𝑥 < 6.12.83
linux	linux_kernel	6.13 ≤ 𝑥 < 6.18.24
linux	linux_kernel	6.19 ≤ 𝑥 < 6.19.14
linux	linux_kernel	7.0 ≤ 𝑥 < 7.0.1

𝑥

= Vulnerable software versions

Vulnerability Media Exposure

[GERMAN] Linux Kernel: Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen im Linux Kernel ausnutzen, um nicht näher spezifizierte Angriffe durchzuführen, welche zu einem Denial-of-Service-Zustand, einer Rechteausweitung, der Ausführung von Code oder einer Speicherbeschädigung führen könnten.
Published: 2026-04-26T22:00:00+00:00

References

https://git.kernel.org/stable/c/068a7f2749fff6462a0a908ec415b885fe430f50

https://git.kernel.org/stable/c/0f156bb5334e588034ca68ac2ee92b23f66e56e7

https://git.kernel.org/stable/c/1425655c2870054c3ab4712e2b6dbdd331597ada

https://git.kernel.org/stable/c/6762f8a95772265dd0c2ffe7f400493f3115b135

https://git.kernel.org/stable/c/74908b0318d1df1188457040b8714ff4d4b68126

https://git.kernel.org/stable/c/8757a2593631443648218244b9788e193ae0fdc1

https://git.kernel.org/stable/c/8b3b7bd3c02f98634baaf36c7fc7ac915f6517ca

https://git.kernel.org/stable/c/8f993d30b95dc9557a8a96ceca11abed674c8acb

https://git.kernel.org/stable/c/d58ba8f6546232f8414f396c189297dbee03f1a7