{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31617", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.123Z", "datePublished": "2026-04-24T14:42:36.191Z", "dateUpdated": "2026-05-11T22:12:16.395Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:12:16.395Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()\n\nThe block_len read from the host-supplied NTB header is checked against\nntb_max but has no lower bound. When block_len is smaller than\nopts->ndp_size, the bounds check of:\n\tndp_index > (block_len - opts->ndp_size)\nwill underflow producing a huge unsigned value that ndp_index can never\nexceed, defeating the check entirely.\n\nThe same underflow occurs in the datagram index checks against block_len\n- opts->dpe_size. With those checks neutered, a malicious USB host can\nchoose ndp_index and datagram offsets that point past the actual\ntransfer, and the skb_put_data() copies adjacent kernel memory into the\nnetwork skb.\n\nFix this by rejecting block lengths that cannot hold at least the NTB\nheader plus one NDP. This will make block_len - opts->ndp_size and\nblock_len - opts->dpe_size both well-defined.\n\nCommit 8d2b1a1ec9f5 (\"CDC-NCM: avoid overflow in sanity checking\") fixed\na related class of issues on the host side of NCM."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/usb/gadget/function/f_ncm.c"], "versions": [{"version": "2b74b0a04d3e9f9f08ff026e5663dce88ff94e52", "lessThan": "0f156bb5334e588034ca68ac2ee92b23f66e56e7", "status": "affected", "versionType": "git"}, {"version": "2b74b0a04d3e9f9f08ff026e5663dce88ff94e52", "lessThan": "8757a2593631443648218244b9788e193ae0fdc1", "status": "affected", "versionType": "git"}, {"version": "2b74b0a04d3e9f9f08ff026e5663dce88ff94e52", "lessThan": "6762f8a95772265dd0c2ffe7f400493f3115b135", "status": "affected", "versionType": "git"}, {"version": "2b74b0a04d3e9f9f08ff026e5663dce88ff94e52", "lessThan": "d58ba8f6546232f8414f396c189297dbee03f1a7", "status": "affected", "versionType": "git"}, {"version": "2b74b0a04d3e9f9f08ff026e5663dce88ff94e52", "lessThan": "74908b0318d1df1188457040b8714ff4d4b68126", "status": "affected", "versionType": "git"}, {"version": "2b74b0a04d3e9f9f08ff026e5663dce88ff94e52", "lessThan": "8f993d30b95dc9557a8a96ceca11abed674c8acb", "status": "affected", "versionType": "git"}, {"version": "f7e0611e207d8908c4f2858e244370529a76dbf7", "status": "affected", "versionType": "git"}, {"version": "b88ad6e714284b33a47834f5f2a294c2b37c66aa", "status": "affected", "versionType": "git"}, {"version": "471b23586387a32857778c511be60ab31c98dcfd", "status": "affected", "versionType": "git"}, {"version": "4f529c4d1e436230d3af7c09a3239677a14d2b46", "status": "affected", "versionType": "git"}, {"version": "ae6a5394d9fbe118bc95cfe376d6a9d91d7547e8", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/usb/gadget/function/f_ncm.c"], "versions": [{"version": "5.9", "status": "affected"}, {"version": "0", "lessThan": "5.9", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.136", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.83", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.24", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.14", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0.1", "lessThanOrEqual": "7.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.1-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.9", "versionEndExcluding": "6.6.136"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.9", "versionEndExcluding": "6.12.83"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.9", "versionEndExcluding": "6.18.24"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.9", "versionEndExcluding": "6.19.14"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.9", "versionEndExcluding": "7.0.1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.9", "versionEndExcluding": "7.1-rc1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.9.235"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.14.196"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19.143"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4.62"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.8.6"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0f156bb5334e588034ca68ac2ee92b23f66e56e7"}, {"url": "https://git.kernel.org/stable/c/8757a2593631443648218244b9788e193ae0fdc1"}, {"url": "https://git.kernel.org/stable/c/6762f8a95772265dd0c2ffe7f400493f3115b135"}, {"url": "https://git.kernel.org/stable/c/d58ba8f6546232f8414f396c189297dbee03f1a7"}, {"url": "https://git.kernel.org/stable/c/74908b0318d1df1188457040b8714ff4d4b68126"}, {"url": "https://git.kernel.org/stable/c/8f993d30b95dc9557a8a96ceca11abed674c8acb"}], "title": "usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "5F07F4AC-C44A-486A-9422-D8975351BA25", "versionEndExcluding": "6.6.136", "versionStartIncluding": "5.9", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A8BAD957-8E20-401C-A129-DFF3655CA0B7", "versionEndExcluding": "6.12.83", "versionStartIncluding": "6.12", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8126B8B8-6D0B-4443-86C1-672AEE893555", "versionEndExcluding": "6.18.24", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D6A8A074-BBF4-4803-ABED-519A839435BB", "versionEndExcluding": "6.19.14", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "9B5888AB-7403-4335-89E4-21CC0B48366A", "versionEndExcluding": "7.0.1", "versionStartIncluding": "7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()\n\nThe block_len read from the host-supplied NTB header is checked against\nntb_max but has no lower bound. When block_len is smaller than\nopts->ndp_size, the bounds check of:\n\tndp_index > (block_len - opts->ndp_size)\nwill underflow producing a huge unsigned value that ndp_index can never\nexceed, defeating the check entirely.\n\nThe same underflow occurs in the datagram index checks against block_len\n- opts->dpe_size. With those checks neutered, a malicious USB host can\nchoose ndp_index and datagram offsets that point past the actual\ntransfer, and the skb_put_data() copies adjacent kernel memory into the\nnetwork skb.\n\nFix this by rejecting block lengths that cannot hold at least the NTB\nheader plus one NDP. This will make block_len - opts->ndp_size and\nblock_len - opts->dpe_size both well-defined.\n\nCommit 8d2b1a1ec9f5 (\"CDC-NCM: avoid overflow in sanity checking\") fixed\na related class of issues on the host side of NCM."}], "id": "CVE-2026-31617", "lastModified": "2026-04-28T17:27:20.347", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-24T15:16:40.973", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/0f156bb5334e588034ca68ac2ee92b23f66e56e7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/6762f8a95772265dd0c2ffe7f400493f3115b135"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/74908b0318d1df1188457040b8714ff4d4b68126"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/8757a2593631443648218244b9788e193ae0fdc1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/8f993d30b95dc9557a8a96ceca11abed674c8acb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d58ba8f6546232f8414f396c189297dbee03f1a7"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()", "id": "2461448", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461448"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-191", "details": ["A flaw was found in the Linux kernel's USB Network Control Model (NCM) gadget driver. A malicious USB host could exploit an integer underflow vulnerability when processing Network Transfer Block (NTB) headers. This allows the host to manipulate internal data pointers, causing adjacent kernel memory to be copied into network buffers. This issue can lead to information disclosure from the kernel."], "name": "CVE-2026-31617", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31617\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31617\nhttps://lore.kernel.org/linux-cve-announce/2026042424-CVE-2026-31617-6e1b@gregkh/T"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[2b74b0a04d3e9f9f08ff026e5663dce88ff94e52,0f156bb5334e588034ca68ac2ee92b23f66e56e7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[2b74b0a04d3e9f9f08ff026e5663dce88ff94e52,8757a2593631443648218244b9788e193ae0fdc1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[2b74b0a04d3e9f9f08ff026e5663dce88ff94e52,6762f8a95772265dd0c2ffe7f400493f3115b135)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[2b74b0a04d3e9f9f08ff026e5663dce88ff94e52,d58ba8f6546232f8414f396c189297dbee03f1a7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[2b74b0a04d3e9f9f08ff026e5663dce88ff94e52,74908b0318d1df1188457040b8714ff4d4b68126)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[2b74b0a04d3e9f9f08ff026e5663dce88ff94e52,8f993d30b95dc9557a8a96ceca11abed674c8acb)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "f7e0611e207d8908c4f2858e244370529a76dbf7"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "b88ad6e714284b33a47834f5f2a294c2b37c66aa"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "471b23586387a32857778c511be60ab31c98dcfd"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "4f529c4d1e436230d3af7c09a3239677a14d2b46"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "ae6a5394d9fbe118bc95cfe376d6a9d91d7547e8"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "5.9"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,5.9)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.136,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.83,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.24,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.14,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0.1,7.1.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.1-rc1,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T20:11:00.868159+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a version that includes commit 8d2b1a1ec9f5, which validates the minimum block length in ncm_unwrap_ntb()", "If a kernel update is not yet feasible, disable the NCM gadget function or unload the f_ncm module before accepting connections from untrusted USB hosts", "Verify that the firmware uses a secure USB environment by restricting the USB gadget interfaces to trusted devices or by isolating the gadget subsystem in a virtualized container"], "summary": {"action": "Patch immediately", "impact": "Kernel memory corruption that can lead to privilege escalation or denial of service"}, "threat_synthesis": {"affected_systems": "Any system running a Linux kernel with the USB gadget NCM driver is potentially affected. The vulnerability applies to all kernel versions prior to the defect\u2011fix commit and is not limited to a specific distribution; all vendors that ship unpatched kernels are at risk.", "description_and_impact": "A numeric underflow in the USB NCM driver allows a hostile USB host to supply a block length that is smaller than the minimum required for a valid NTB header. This underflow corrupts bounds checks on NDP and datagram indices, enabling the driver to copy kernel memory into a network socket buffer. The resulting memory vulnerability can be abused to inject corrupted data into the kernel or to trigger a crash, giving an attacker the possibility to gain elevated privileges or to cause a denial of service.", "risk_and_exploitability": "The CVSS score of 5.5 indicates a medium severity. The EPSS score of less than 1% implies that exploitation is unlikely in the wild, and the vulnerability is not listed in the CISA KEV catalog. The exploit requires a malicious USB host that can control the NTB header, which is a local and relatively easy vector to present to a device with USB gadget functionality. Because the flaw allows arbitrary kernel memory contamination, an attacker could potentially execute code at kernel privilege or cause a system crash if the driver is active on the target device."}}}}, "created": "2026-04-27T18:45:11.331141+00:00", "updated": "2026-04-28T20:15:26.826986+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}