{"id":"CVE-2026-31607","summary":"usbip: validate number_of_packets in usbip_pack_ret_submit()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nusbip: validate number_of_packets in usbip_pack_ret_submit()\n\nWhen a USB/IP client receives a RET_SUBMIT response,\nusbip_pack_ret_submit() unconditionally overwrites\nurb-\u003enumber_of_packets from the network PDU. This value is\nsubsequently used as the loop bound in usbip_recv_iso() and\nusbip_pad_iso() to iterate over urb-\u003eiso_frame_desc[], a flexible\narray whose size was fixed at URB allocation time based on the\n*original* number_of_packets from the CMD_SUBMIT.\n\nA malicious USB/IP server can set number_of_packets in the response\nto a value larger than what was originally submitted, causing a heap\nout-of-bounds write when usbip_recv_iso() writes to\nurb-\u003eiso_frame_desc[i] beyond the allocated region.\n\nKASAN confirmed this with kernel 7.0.0-rc5:\n\n  BUG: KASAN: slab-out-of-bounds in usbip_recv_iso+0x46a/0x640\n  Write of size 4 at addr ffff888106351d40 by task vhci_rx/69\n\n  The buggy address is located 0 bytes to the right of\n   allocated 320-byte region [ffff888106351c00, ffff888106351d40)\n\nThe server side (stub_rx.c) and gadget side (vudc_rx.c) already\nvalidate number_of_packets in the CMD_SUBMIT path since commits\nc6688ef9f297 (\"usbip: fix stub_rx: harden CMD_SUBMIT path to handle\nmalicious input\") and b78d830f0049 (\"usbip: fix vudc_rx: harden\nCMD_SUBMIT path to handle malicious input\"). The server side validates\nagainst USBIP_MAX_ISO_PACKETS because no URB exists yet at that point.\nOn the client side we have the original URB, so we can use the tighter\nbound: the response must not exceed the original number_of_packets.\n\nThis mirrors the existing validation of actual_length against\ntransfer_buffer_length in usbip_recv_xbuff(), which checks the\nresponse value against the original allocation size.\n\nKelvin Mbogo's series (\"usb: usbip: fix integer overflow in\nusbip_recv_iso()\", v2) hardens the receive-side functions themselves;\nthis patch complements that work by catching the bad value at its\nsource -- in usbip_pack_ret_submit() before the overwrite -- and\nusing the tighter per-URB allocation bound rather than the global\nUSBIP_MAX_ISO_PACKETS limit.\n\nFix this by checking rpdu-\u003enumber_of_packets against\nurb-\u003enumber_of_packets in usbip_pack_ret_submit() before the\noverwrite. On violation, clamp to zero so that usbip_recv_iso() and\nusbip_pad_iso() safely return early.","modified":"2026-06-10T18:29:14.708150130Z","published":"2026-04-24T14:42:29.468Z","related":["ALSA-2026:19568","ALSA-2026:19569","CGA-6g63-3m98-78m6","SUSE-SU-2026:2068-1","SUSE-SU-2026:2111-1","SUSE-SU-2026:21876-1","SUSE-SU-2026:21877-1","SUSE-SU-2026:21916-1","SUSE-SU-2026:21919-1","SUSE-SU-2026:2195-1","SUSE-SU-2026:2202-1","SUSE-SU-2026:2215-1","SUSE-SU-2026:2216-1","SUSE-SU-2026:2217-1","SUSE-SU-2026:2238-1","SUSE-SU-2026:2317-1","openSUSE-SU-2026:10703-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31607.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/2ab833a16a825373aad2ba7d54b572b277e95b71"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5e1c4ece08ccdc197177631f111845a2c68eede3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/885c8591784da6314f9aa82fa460ac69f9f79e5f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8d155e2d1c4102f74f82a2bf9c016164bb0f7384"},{"type":"WEB","url":"https://git.kernel.org/stable/c/906f16a836de13fe61f49cdce2f66f2dbd14caf4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ef8ebb1c637b4cfb61a9dd2e013376774ee2033b"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31607.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31607"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"1325f85fa49f57df034869de430f7c302ae23109"},{"fixed":"885c8591784da6314f9aa82fa460ac69f9f79e5f"},{"fixed":"8d155e2d1c4102f74f82a2bf9c016164bb0f7384"},{"fixed":"906f16a836de13fe61f49cdce2f66f2dbd14caf4"},{"fixed":"ef8ebb1c637b4cfb61a9dd2e013376774ee2033b"},{"fixed":"5e1c4ece08ccdc197177631f111845a2c68eede3"},{"fixed":"2ab833a16a825373aad2ba7d54b572b277e95b71"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"d9638d9236eed035a575feddec61d036dacc2676"},{"last_affected":"ca7d3501b7a287c18b5b470e871d3029b0f4842a"},{"last_affected":"1ce528277e1a66856ed3f7526c1e3458c0ed4a70"},{"last_affected":"db898d0c5c493ce4177d5e1d3a953e079a56a24b"},{"last_affected":"5aa02704b9ee67c5b2ee26d54c5f4eb99e93ba9a"}]}],"versions":["v2.6.34.10","v2.6.34.9","v2.6.38","v2.6.38-rc7","v2.6.35.12","v2.6.34.8","v2.6.37","v2.6.32.36","v2.6.33.9","v2.6.38.2","v2.6.35.11","v2.6.33.8","v2.6.38.1","v2.6.32.35","v2.6.32.34","v2.6.32.33","v2.6.33.7","v2.6.38-rc1","v2.6.38-rc8","v2.6.32.32","v2.6.38-rc2","v2.6.38-rc6","v2.6.32.31","v2.6.38-rc5","v2.6.38-rc4","v2.6.32.30","v2.6.32.29","v2.6.32.28","v2.6.38-rc3","v2.6.35.10","v2.6.37-rc4","v2.6.37-rc2","v2.6.36","v2.6.32.27","v2.6.37-rc5","v2.6.34.7","v2.6.37-rc8","v2.6.37-rc7","v2.6.37-rc6","v2.6.37-rc1","v2.6.35.9","v2.6.32.26","v2.6.37-rc3","v2.6.35.8","v2.6.32.25","v2.6.35.7","v2.6.32.24","v2.6.36-rc6","v2.6.35-rc4","v2.6.36-rc8","v2.6.35","v2.6.36-rc7","v2.6.36-rc3","v2.6.36-rc5","v2.6.32.23","v2.6.35.6","v2.6.36-rc4","v2.6.32.22","v2.6.35.5","v2.6.35.4","v2.6.32.21","v2.6.34.6","v2.6.36-rc2","v2.6.36-rc1","v2.6.35.3","v2.6.34.5","v2.6.32.20","v2.6.35.2","v2.6.34.4","v2.6.32.19","v2.6.35.1","v2.6.34.3","v2.6.32.18","v2.6.32.17","v2.6.34.2","v2.6.35-rc5","v2.6.34.1","v2.6.33.6","v2.6.32.16","v2.6.35-rc6","v2.6.34","v2.6.35-rc3","v2.6.35-rc1","v2.6.33.5","v2.6.32.15","v2.6.35-rc2","v2.6.32.14","v2.6.33.4","v2.6.34-rc7","v2.6.32.13","v2.6.33.3","v2.6.32.12","v2.6.34-rc6","v2.6.34-rc5","v2.6.34-rc4","v2.6.33.2","v2.6.32.11","v2.6.34-rc3","v2.6.34-rc2","v2.6.33.1","v2.6.32.10","v2.6.34-rc1","v2.6.33","v2.6.32.9","v2.6.33-rc6","v2.6.33-rc8","v2.6.32.8","v2.6.33-rc4","v2.6.33-rc5","v2.6.33-rc3","v2.6.33-rc7","v2.6.32.7","v2.6.32.6","v2.6.32.5","v2.6.33-rc2","v2.6.32.4","v2.6.32.3","v2.6.32","v2.6.32.2","v2.6.33-rc1","v2.6.32.1","v2.6.32-rc8","v2.6.32-rc7","v2.6.32-rc6","v2.6.31","v2.6.32-rc5","v2.6.32-rc4","v2.6.32-rc2","v2.6.32-rc1","v2.6.32-rc3","v2.6.31-rc9","v2.6.31-rc1","v2.6.31-rc7","v2.6.31-rc8","v2.6.31-rc6","v2.6.30-rc6","v2.6.30","v2.6.31-rc4","v2.6.31-rc5","v2.6.31-rc3","v2.6.31-rc2","v2.6.30-rc7","v2.6.30-rc8","v2.6.30-rc5","v2.6.30-rc3","v2.6.30-rc4","v2.6.30-rc1","v2.6.30-rc2","v2.6.29","v2.6.29-rc8","v2.6.29-rc7","v2.6.29-rc5","v2.6.29-rc1","v2.6.29-rc6","v2.6.29-rc4","v2.6.29-rc3","v2.6.29-rc2","v2.6.28","v2.6.28-rc7","v2.6.28-rc9","v2.6.28-rc8","v2.6.28-rc6","v2.6.28-rc5","v2.6.28-rc4","v2.6.28-rc2","v2.6.28-rc3","v2.6.28-rc1","v2.6.27","v2.6.27-rc7","v2.6.27-rc9","v2.6.27-rc8","v2.6.27-rc5","v2.6.27-rc6","v2.6.27-rc4","v2.6.27-rc1","v2.6.27-rc3","v2.6.27-rc2","v2.6.26","v2.6.26-rc9","v2.6.26-rc8","v2.6.26-rc3","v2.6.26-rc7","v2.6.26-rc6","v2.6.26-rc5","v2.6.26-rc4","v2.6.26-rc2","v2.6.26-rc1","v2.6.25","v2.6.25-rc7","v2.6.25-rc9","v2.6.25-rc8","v2.6.25-rc6","v2.6.25-rc5","v2.6.25-rc3","v2.6.25-rc4","v2.6.24","v2.6.25-rc2","v2.6.25-rc1","v2.6.24-rc8","v2.6.24-rc7","v2.6.24-rc6","v2.6.24-rc5","v2.6.24-rc4","v2.6.24-rc3","v2.6.24-rc2","v2.6.24-rc1","v2.6.23","v2.6.23-rc9","v2.6.23-rc8","v2.6.23-rc5","v2.6.23-rc7","v2.6.23-rc6","v2.6.23-rc4","v2.6.23-rc3","v2.6.23-rc2","v2.6.23-rc1","v2.6.22","v2.6.22-rc7","v2.6.22-rc6","v2.6.22-rc5","v2.6.22-rc4","v2.6.22-rc3","v2.6.22-rc2","v2.6.22-rc1","v2.6.21","v2.6.21-rc7","v2.6.21-rc6","v2.6.21-rc5","v2.6.21-rc4","v2.6.21-rc3","v2.6.21-rc2","v2.6.21-rc1","v2.6.20-rc7","v2.6.20-rc6","v2.6.20-rc5","v2.6.20-rc4","v2.6.20-rc3","v2.6.20-rc1","v2.6.20-rc2","v2.6.19-rc2","v2.6.18","v2.6.19-rc1","v2.6.18-rc6","v2.6.18-rc5","v2.6.18-rc3","v2.6.18-rc2","v2.6.18-rc1","v2.6.17","v2.6.17-rc4","v2.6.17-rc6","v2.6.17-rc5","v2.6.17-rc3","v2.6.17-rc2","v2.6.17-rc1","v2.6.16","v2.6.16-rc6","v2.6.16-rc4","v2.6.16-rc5","v2.6.16-rc3","v2.6.16-rc2","v2.6.16-rc1","v2.6.15-rc7","v2.6.15-rc5","v2.6.15-rc4","v2.6.15-rc2","v2.6.15-rc1","v2.6.14-rc3","v2.6.14-rc2","v2.6.14-rc1","v2.6.13","v2.6.13-rc7","v2.6.13-rc6","v2.6.13-rc5","v2.6.13-rc3","v2.6.13-rc4","v2.6.13-rc2","v2.6.13-rc1","v2.6.12-rc4","v2.6.12-rc3","v2.6.12-rc2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31607.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.6.39"},{"fixed":"6.6.136"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.83"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.24"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.14"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.20.0"},{"fixed":"7.0.1"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31607.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}