{"id":"CVE-2026-31616","summary":"usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()\n\nA broken/bored/mean USB host can overflow the skb_shared_info-\u003efrags[]\narray on a Linux gadget exposing a Phonet function by sending an\nunbounded sequence of full-page OUT transfers.\n\npn_rx_complete() finalizes the skb only when req-\u003eactual \u003c req-\u003elength,\nwhere req-\u003elength is set to PAGE_SIZE by the gadget.  If the host always\nsends exactly PAGE_SIZE bytes per transfer, fp-\u003erx.skb will never be\nreset and each completion will add another fragment via\nskb_add_rx_frag().  Once nr_frags exceeds MAX_SKB_FRAGS (default 17),\nsubsequent frag stores overwrite memory adjacent to the shinfo on the\nheap.\n\nDrop the skb and account a length error when the frag limit is reached,\nmatching the fix applied in t7xx by commit f0813bcd2d9d (\"net: wwan:\nt7xx: fix potential skb-\u003efrags overflow in RX path\").","modified":"2026-06-03T03:54:29.109686039Z","published":"2026-04-24T14:42:35.480Z","related":["CGA-xxcp-6f9q-6hgw","openSUSE-SU-2026:10703-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31616.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/3d7f7e0c842242878c24b2facff8d6eda23ee1e9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4e476c25bfcab0535ba7c76a903ae77ca8747711"},{"type":"WEB","url":"https://git.kernel.org/stable/c/66f7471c4042e4eb300e30b5b9d87d1406862673"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7424f0287da73d3d8c5fa5e9d25d26fce762708e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9ceff1251904901b0b4e5fe6350fcaffa368ce83"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b5ec49fa198bd08967a3102bd41f53ccadce72c9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bd44ce09b9b569f49ed13e2d87d23d853fc7d6a7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c088d5dd2fffb4de1fb8e7f57751c8b82942180a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c9315ce9da3632c591666a29de82d3e92d46bec1"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31616.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31616"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"b91cd1440870f7a0649e570498b7b93caf9f781c"},{"fixed":"3d7f7e0c842242878c24b2facff8d6eda23ee1e9"},{"fixed":"b5ec49fa198bd08967a3102bd41f53ccadce72c9"},{"fixed":"7424f0287da73d3d8c5fa5e9d25d26fce762708e"},{"fixed":"9ceff1251904901b0b4e5fe6350fcaffa368ce83"},{"fixed":"c9315ce9da3632c591666a29de82d3e92d46bec1"},{"fixed":"4e476c25bfcab0535ba7c76a903ae77ca8747711"},{"fixed":"bd44ce09b9b569f49ed13e2d87d23d853fc7d6a7"},{"fixed":"66f7471c4042e4eb300e30b5b9d87d1406862673"},{"fixed":"c088d5dd2fffb4de1fb8e7f57751c8b82942180a"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31616.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.6.32"},{"fixed":"5.10.258"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.209"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.175"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.136"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.83"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.24"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.14"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.20.0"},{"fixed":"7.0.1"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31616.json"}}],"schema_version":"1.7.5"}