CVE-2026-31412
Description
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks()
The check_command_size_in_blocks() function calculates the data size in bytes by left shifting common->data_size_from_cmnd by the block size (common->curlun->blkbits). However, it does not validate whether this shift operation will cause an integer overflow.
Initially, the block size is set up in fsg_lun_open() , and the common->data_size_from_cmnd is set up in do_scsi_command(). During initialization, there is no integer overflow check for the interaction between two variables.
So if a malicious USB host sends a SCSI READ or WRITE command requesting a large amount of data (common->data_size_from_cmnd), the left shift operation can wrap around. This results in a truncated data size, which can bypass boundary checks and potentially lead to memory corruption or out-of-bounds accesses.
Fix this by using the check_shl_overflow() macro to safely perform the shift and catch any overflows.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Integer overflow in USB mass storage gadget exposes Linux kernel to potential memory corruption via oversized SCSI commands.
Vulnerability
Overview
CVE-2026-31412 is an integer overflow flaw in the Linux kernel's USB Mass Storage gadget driver (f_mass_storage). The vulnerability resides in the check_command_size_in_blocks() function, which calculates the data size in bytes by left-shifting a command's data length (common->data_size_from_cmnd) by the logical block size (common->curlun->blkbits). The shift is performed without any overflow validation, allowing a malicious USB host to trigger a wraparound that produces a truncated, small value instead of the intended large size [1][2][3][4].
Exploitation
Scenario
To exploit this issue, an attacker must have physical access to the target device and be able to act as a USB host, sending crafted SCSI READ or WRITE commands to the gadget's storage LUN. The data_size_from_cmnd is set during command processing in do_scsi_command(); combined with the block size set during LUN initialization in fsg_lun_open(), no bounds check exists to prevent the shift from overflowing. The overflow bypasses subsequent boundary checks, enabling the attacker to cause memory corruption or out-of-bounds reads/writes on the kernel heap [3].
Impact
Successful exploitation could lead to kernel memory corruption, potentially resulting in a denial-of-service condition (system crash) or, in more severe scenarios, arbitrary code execution in kernel context. The CVSS v3 base score of 5.5 (Medium) reflects the need for physical USB access and the potential for high impact on confidentiality, integrity, and availability.
Mitigation
The fix, introduced via commits in the stable kernel tree [1][2][3][4], uses the check_shl_overflow() macro to safely detect and handle integer overflow during the shift operation. As of April 2026, patches are available for multiple stable kernel branches. Users should apply the latest updates from their distribution. No workaround exists; physical USB port restrictions can reduce the attack surface but do not eliminate the risk from trusted peripherals.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- git.kernel.org/stable/c/228b37936376143f4b60cc6828663f6eaceb81b5nvdPatch
- git.kernel.org/stable/c/3428dc5520c811e66622b2f5fa43341bf9a1f8b3nvdPatch
- git.kernel.org/stable/c/387ebb0453b99d71491419a5dc4ab4bee0cacbacnvdPatch
- git.kernel.org/stable/c/8479891d1f04a8ce55366fe4ca361ccdb96f02e1nvdPatch
- git.kernel.org/stable/c/91817ad5452defe69bc7bc0e355f0ed5d01125ccnvdPatch
- git.kernel.org/stable/c/ce0caaed5940162780c5c223b8ae54968a5f059bnvdPatch
News mentions
0No linked articles in our index yet.