HOMEVULNERABILITIESCVE-2026-31607
CRITICAL

CVE-2026-31607

Published: April 24, 2026· Updated: Apr 28, 2026

9.8
CVSS v3.1
EPSS:0.02%probability of exploitation in 30 daysPercentile:4.8th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

usbip: validate number_of_packets in usbip_pack_ret_submit()

When a USB/IP client receives a RET_SUBMIT response,

usbip_pack_ret_submit() unconditionally overwrites

urb->number_of_packets from the network PDU. This value is

subsequently used as the loop bound in usbip_recv_iso() and

usbip_pad_iso() to iterate over urb->iso_frame_desc[], a flexible

array whose size was fixed at URB allocation time based on the

*original* number_of_packets from the CMD_SUBMIT.

A malicious USB/IP server can set number_of_packets in the response

to a value larger than what was originally submitted, causing a heap

out-of-bounds write when usbip_recv_iso() writes to

urb->iso_frame_desc[i] beyond the allocated region.

KASAN confirmed this with kernel 7.0.0-rc5:

BUG: KASAN: slab-out-of-bounds in usbip_recv_iso+0x46a/0x640

Write of size 4 at addr ffff888106351d40 by task vhci_rx/69

The buggy address is located 0 bytes to the right of

allocated 320-byte region [ffff888106351c00, ffff888106351d40)

The server side (stub_rx.c) and gadget side (vudc_rx.c) already

validate number_of_packets in the CMD_SUBMIT path since commits

c6688ef9f297 ("usbip: fix stub_rx: harden CMD_SUBMIT path to handle

malicious input") and b78d830f0049 ("usbip: fix vudc_rx: harden

CMD_SUBMIT path to handle malicious input"). The server side validates

against USBIP_MAX_ISO_PACKETS because no URB exists yet at that point.

On the client side we have the original URB, so we can use the tighter

bound: the response must not exceed the original number_of_packets.

This mirrors the existing validation of actual_length against

transfer_buffer_length in usbip_recv_xbuff(), which checks the

response value against the original allocation size.

Kelvin Mbogo's series ("usb: usbip: fix integer overflow in

usbip_recv_iso()", v2) hardens the receive-side functions themselves;

this patch complements that work by catching the bad value at its

source -- in usbip_pack_ret_submit() before the overwrite -- and

using the tighter per-URB allocation bound rather than the global

USBIP_MAX_ISO_PACKETS limit.

Fix this by checking rpdu->number_of_packets against

urb->number_of_packets in usbip_pack_ret_submit() before the

overwrite. On violation, clamp to zero so that usbip_recv_iso() and

usbip_pad_iso() safely return early.

NVD Source

Technical Analysis

CVE-2026-31607 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.

A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 9.8.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityLow
Privileges Req.None
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Vendors & Products

Linux1 product
linux kernel
Source: NVD CPE · 1 total CPE entries

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

Official Patches & Advisories

All References (6)

Quick Facts

CVE IDCVE-2026-31607
CVSS Score9.8 / 10
SeverityCRITICAL
CISA KEVNo
EPSS (30d)0.02%
Affected1 vendor
PublishedApr 24, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-31607 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.