CVE-2026-31616
Description
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()
A broken/bored/mean USB host can overflow the skb_shared_info->frags[] array on a Linux gadget exposing a Phonet function by sending an unbounded sequence of full-page OUT transfers.
pn_rx_complete() finalizes the skb only when req->actual < req->length, where req->length is set to PAGE_SIZE by the gadget. If the host always sends exactly PAGE_SIZE bytes per transfer, fp->rx.skb will never be reset and each completion will add another fragment via skb_add_rx_frag(). Once nr_frags exceeds MAX_SKB_FRAGS (default 17), subsequent frag stores overwrite memory adjacent to the shinfo on the heap.
Drop the skb and account a length error when the frag limit is reached, matching the fix applied in t7xx by commit f0813bcd2d9d ("net: wwan: t7xx: fix potential skb->frags overflow in RX path").
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A malicious USB host can overflow the skb frags array in the Linux kernel's Phonet gadget function, leading to memory corruption.
Vulnerability
Overview
CVE-2026-31616 is a medium-severity vulnerability in the Linux kernel's USB gadget subsystem, specifically in the f_phonet function. The root cause is an unbounded accumulation of fragments in the skb_shared_info->frags[] array within pn_rx_complete(). When a malicious USB host sends a sequence of OUT transfers that are exactly PAGE_SIZE bytes each, the driver never finalizes the skb (because req->actual never becomes less than req->length), and each completion adds a new fragment via skb_add_rx_frag(). Once the number of fragments exceeds MAX_SKB_FRAGS (default 17), subsequent writes corrupt heap memory adjacent to the shared info structure [1][2].
Exploitation and
Attack Surface
Exploitation requires a malicious USB host connected to a Linux device that exposes a Phonet function through the USB gadget framework. No authentication is needed; the host simply sends USB OUT transfers of exactly PAGE_SIZE bytes repeatedly. The attack surface is limited to physical USB connections or virtual USB-over-IP scenarios where the host can control transfer sizes. The vulnerability is triggered entirely by the host's behavior, without any special privileges on the gadget side [3].
Impact
A successful overflow can corrupt kernel heap memory, potentially leading to a denial of service (system crash) or, in more sophisticated attacks, arbitrary code execution in kernel privileges. The CVSS v3 base score of 5.5 reflects a medium severity, with high availability impact and low attack complexity [].
Mitigation
The fix, already merged into the stable kernel tree, drops the skb and accounts a length error when the fragment limit is reached, mirroring a similar fix in the t7xx driver (commit f0813bcd2d9d). Users should apply the relevant stable kernel updates containing commits 66f7471c4042, 9ceff1251904, c088d5dd2fff, or bd44ce09b9b5 [1][2][3][4]. No workaround is available; updating the kernel is the recommended mitigation.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- git.kernel.org/stable/c/4e476c25bfcab0535ba7c76a903ae77ca8747711nvdPatch
- git.kernel.org/stable/c/66f7471c4042e4eb300e30b5b9d87d1406862673nvdPatch
- git.kernel.org/stable/c/9ceff1251904901b0b4e5fe6350fcaffa368ce83nvdPatch
- git.kernel.org/stable/c/bd44ce09b9b569f49ed13e2d87d23d853fc7d6a7nvdPatch
- git.kernel.org/stable/c/c088d5dd2fffb4de1fb8e7f57751c8b82942180anvdPatch
- git.kernel.org/stable/c/c9315ce9da3632c591666a29de82d3e92d46bec1nvdPatch
News mentions
0No linked articles in our index yet.