Home

Description

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb() The block_len read from the host-supplied NTB header is checked against ntb_max but has no lower bound. When block_len is smaller than opts->ndp_size, the bounds check of: ndp_index > (block_len - opts->ndp_size) will underflow producing a huge unsigned value that ndp_index can never exceed, defeating the check entirely. The same underflow occurs in the datagram index checks against block_len - opts->dpe_size. With those checks neutered, a malicious USB host can choose ndp_index and datagram offsets that point past the actual transfer, and the skb_put_data() copies adjacent kernel memory into the network skb. Fix this by rejecting block lengths that cannot hold at least the NTB header plus one NDP. This will make block_len - opts->ndp_size and block_len - opts->dpe_size both well-defined. Commit 8d2b1a1ec9f5 ("CDC-NCM: avoid overflow in sanity checking") fixed a related class of issues on the host side of NCM.

PUBLISHED Reserved 2026-03-09 | Published 2026-04-24 | Updated 2026-06-01 | Assigner Linux

Product status

Default status
unaffected

2b74b0a04d3e9f9f08ff026e5663dce88ff94e52 (git) before 068a7f2749fff6462a0a908ec415b885fe430f50
affected

2b74b0a04d3e9f9f08ff026e5663dce88ff94e52 (git) before 1425655c2870054c3ab4712e2b6dbdd331597ada
affected

2b74b0a04d3e9f9f08ff026e5663dce88ff94e52 (git) before 8b3b7bd3c02f98634baaf36c7fc7ac915f6517ca
affected

2b74b0a04d3e9f9f08ff026e5663dce88ff94e52 (git) before 0f156bb5334e588034ca68ac2ee92b23f66e56e7
affected

2b74b0a04d3e9f9f08ff026e5663dce88ff94e52 (git) before 8757a2593631443648218244b9788e193ae0fdc1
affected

2b74b0a04d3e9f9f08ff026e5663dce88ff94e52 (git) before 6762f8a95772265dd0c2ffe7f400493f3115b135
affected

2b74b0a04d3e9f9f08ff026e5663dce88ff94e52 (git) before d58ba8f6546232f8414f396c189297dbee03f1a7
affected

2b74b0a04d3e9f9f08ff026e5663dce88ff94e52 (git) before 74908b0318d1df1188457040b8714ff4d4b68126
affected

2b74b0a04d3e9f9f08ff026e5663dce88ff94e52 (git) before 8f993d30b95dc9557a8a96ceca11abed674c8acb
affected

f7e0611e207d8908c4f2858e244370529a76dbf7 (git)
affected

b88ad6e714284b33a47834f5f2a294c2b37c66aa (git)
affected

471b23586387a32857778c511be60ab31c98dcfd (git)
affected

4f529c4d1e436230d3af7c09a3239677a14d2b46 (git)
affected

ae6a5394d9fbe118bc95cfe376d6a9d91d7547e8 (git)
affected

4.9.235 (semver) before 4.10
affected

4.14.196 (semver) before 4.15
affected

4.19.143 (semver) before 4.20
affected

5.4.62 (semver) before 5.5
affected

5.8.6 (semver) before 5.9
affected

Default status
affected

5.9
affected

Any version before 5.9
unaffected

5.10.258 (semver)
unaffected

5.15.209 (semver)
unaffected

6.1.175 (semver)
unaffected

6.6.136 (semver)
unaffected

6.12.83 (semver)
unaffected

6.18.24 (semver)
unaffected

6.19.14 (semver)
unaffected

7.0.1 (semver)
unaffected

7.1-rc1 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/068a7f2749fff6462a0a908ec415b885fe430f50

git.kernel.org/...c/1425655c2870054c3ab4712e2b6dbdd331597ada

git.kernel.org/...c/8b3b7bd3c02f98634baaf36c7fc7ac915f6517ca

git.kernel.org/...c/0f156bb5334e588034ca68ac2ee92b23f66e56e7

git.kernel.org/...c/8757a2593631443648218244b9788e193ae0fdc1

git.kernel.org/...c/6762f8a95772265dd0c2ffe7f400493f3115b135

git.kernel.org/...c/d58ba8f6546232f8414f396c189297dbee03f1a7

git.kernel.org/...c/74908b0318d1df1188457040b8714ff4d4b68126

git.kernel.org/...c/8f993d30b95dc9557a8a96ceca11abed674c8acb

cve.org (CVE-2026-31617)

nvd.nist.gov (CVE-2026-31617)

Download JSON