CVE-2026-31617
Description
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()
The block_len read from the host-supplied NTB header is checked against ntb_max but has no lower bound. When block_len is smaller than opts->ndp_size, the bounds check of: ndp_index > (block_len - opts->ndp_size) will underflow producing a huge unsigned value that ndp_index can never exceed, defeating the check entirely.
The same underflow occurs in the datagram index checks against block_len - opts->dpe_size. With those checks neutered, a malicious USB host can choose ndp_index and datagram offsets that point past the actual transfer, and the skb_put_data() copies adjacent kernel memory into the network skb.
Fix this by rejecting block lengths that cannot hold at least the NTB header plus one NDP. This will make block_len - opts->ndp_size and block_len - opts->dpe_size both well-defined.
Commit 8d2b1a1ec9f5 ("CDC-NCM: avoid overflow in sanity checking") fixed a related class of issues on the host side of NCM.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing lower-bound check on block_len in Linux kernel's USB f_ncm gadget allows a malicious USB host to leak kernel memory via underflowed bounds checks.
Vulnerability
In the Linux kernel's USB f_ncm gadget driver, the function ncm_unwrap_ntb() reads a block_len value from the NTB header supplied by the USB host. This value is only checked against an upper limit (ntb_max), but lacks a minimum validation. When block_len is smaller than opts->ndp_size, the subsequent bounds check ndp_index > (block_len - opts->ndp_size) underflows, producing a very large unsigned result that ndp_index can never exceed, effectively bypassing the check entirely. The same underflow occurs in the datagram index checks against block_len - opts->dpe_size [1][2][3][4].
Exploitation
A malicious USB host can exploit this by supplying a crafted NTB header with a block_len that is too small to hold the gadget device. Because the bounds checks are neutered by the underflow, the host can choose ndp_index and datagram offsets that point beyond the actual transfer buffer. No authentication is required beyond the ability to act as a USB host to the target gadget device.
Impact
With the bounds checks defeated, the driver's skb_put_data() call copies adjacent kernel memory into the network socket buffer (skb). This allows the attacker to leak sensitive kernel memory contents to the network layer, potentially exposing confidential data. The vulnerability is rated Medium (CVSS 5.5) and can lead to information disclosure.
Mitigation
The fix adds a lower-bound check that rejects block_len values too small to hold at least the NTB header plus one NDP, ensuring that block_len - opts->ndp_size and block_len - opts->dpe_size are always well-defined. The patch has been applied to the stable kernel branches as referenced [1][2][3][4]. Users should update to the latest patched kernel version.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- git.kernel.org/stable/c/0f156bb5334e588034ca68ac2ee92b23f66e56e7nvdPatch
- git.kernel.org/stable/c/6762f8a95772265dd0c2ffe7f400493f3115b135nvdPatch
- git.kernel.org/stable/c/74908b0318d1df1188457040b8714ff4d4b68126nvdPatch
- git.kernel.org/stable/c/8757a2593631443648218244b9788e193ae0fdc1nvdPatch
- git.kernel.org/stable/c/8f993d30b95dc9557a8a96ceca11abed674c8acbnvdPatch
- git.kernel.org/stable/c/d58ba8f6546232f8414f396c189297dbee03f1a7nvdPatch
News mentions
0No linked articles in our index yet.