CVE-2026-31607

Home/CVE/In the Linux kernel, the following vulnerability has been resolved: usbip: validate number_of_packets in usbip_pack_ret

CVE

In the Linux kernel, the following vulnerability has been resolved: usbip: validate number_of_packets in usbip_pack_ret

In the Linux kernel, the following vulnerability has been resolved: usbip: validate number_of_packets in usbip_pack_ret_submit() When a USB/IP client receives a RET_SUBMIT response, usbip_pack_ret_submit() unconditionally overwrites urb-number_of_packets from the network PDU. This value is subsequently used as the loop bound in usbip_recv_iso() and usbip_pad_iso() to iterate over urb-iso_frame_desc[], a flexible array whose size was fixed at URB allocation time based on the original number_of_packets from the CMD_SUBMIT. A malicious USB/IP server can set number_of_packets in the response to a value larger than what was originally submitted, causing a heap out-of-bounds write when usbip_recv_iso() writes to urb-iso_frame_desc[i] beyond the allocated region.

KASAN confirmed this with kernel 7.0.0-rc5: BUG: KASAN: slab-out-of-bounds in usbip_recv_iso+0x46a/0x640 Write of size 4 at addr ffff888106351d40 by task vhci_rx/69 The buggy address is located 0 bytes to the right of allocated 320-byte region [ffff888106351c00, ffff888106351d40) The server side (stub_rx.c) and gadget side (vudc_rx.c) already validate number_of_packets in the CMD_SUBMIT path since commits c6688ef9f297 ("usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input") and b78d830f0049 ("usbip: fix vudc_rx: harden CMD_SUBMIT path to handle malicious input"). The server side validates against USBIP_MAX_ISO_PACKETS because no URB exists yet at that point. On the client side we have the original URB, so we can use the tighter bound: the response must not exceed the original number_of_packets.

This mirrors the existing validation of actual_length against transfer_buffer_length in usbip_recv_xbuff(), which checks the response value against the original allocation size. Kelvin Mbogo's series ("usb: usbip: fix integer overflow in usbip_recv_iso()", v2) hardens the receive-side functions themselves; this patch complements that work by catching the bad value at its source -- in usbip_pack_ret_submit() before the overwrite -- and using the tighter per-URB allocation bound rather than the global USBIP_MAX_ISO_PACKETS limit. Fix this by checking rpdu-number_of_packets against urb-number_of_packets in usbip_pack_ret_submit() before the overwrite.

On violation, clamp to zero so that usbip_recv_iso() and usbip_pad_iso() safely return early.

CRITICAL · CVSS 9.8 EPSS 0.00102

Schedule remediation

CVSS base score ≥ 7.0

Sigma rules0 YARA rules0

Look this up elsewhere - one-click external pivots

NVD CVE.org CISA Vulners Exploit-DB GitHub PoC VulnCheck KEV GreyNoise

▸ How to read a CVE - triage first, then detect and patch

This page is every public fact about CVE-2026-31607, cross-linked. Its job is to answer one question fast - does this need my attention now? - and then hand you the two things you do about it. Here is how an analyst reads it.

Triage: should I act now? Four signals, and they are not interchangeable:

CVSSseverity - how bad it is IF exploited, 0-10. A high CVSS alone is not urgency; a flaw can be a perfect 10 and never actually be attacked. EPSSprobability - a model’s estimate of the chance it is exploited in the next 30 days, 0-1. This is the “will it actually happen” signal. CISA KEVconfirmed - it is being exploited in the wild right now. The strongest signal on the page; KEV beats any score. Weaponisedavailability - public exploits / PoCs, and especially Metasploit modules rated Excellent / Great. Reliable, packaged exploit code means low-skill attackers can use it today.

How they combine: KEV, or a dependable Metasploit module, means patch now regardless of CVSS. High CVSS + low EPSS + no exploit is real but not an emergency - schedule it. Low CVSS but KEV-listed still gets patched now. The verdict above already weighed these for you; this is how it got there.

Then what - two workflows:

Detectwhen you cannot patch today, follow this CVE to the ATT&CK techniques it enables, then Build a SIEM detection (the green button) - author a rule, test it in Atomic, deploy it. That buys visibility while the patch waits. PatchAffected products / packages tell you if you are exposed; Fixed versions by distribution and Vendor advisories give the exact version that closes it.

Reading order for the panels below: verdict + badges, then Public exploits / Metasploit (is it weaponised), then ATT&CK techniques + Sigma / IDS rules (can I detect it), then Affected products / packages + Fixed versions (am I exposed, what patches it), then Threat actors / IOCs (who uses it), then Scoring & timeline / references (the evidence).

View attack path from CVE-2026-31607

◆

ATT&CK techniques

Techniques this CVE enables - linked via CWECAPECATT&CK. High◆ = named directly in ATT&CK or Nuclei templates.

T1190 · Exploit Public-Facing Application

▤ Build a SIEM detection for these techniques

⬡

Weakness Classification

CWE-787Out-of-bounds Write

▤

Affected Products & Versions

linux kernel>= 2.6.39 and < 6.6.136
linux kernel>= 6.7 and < 6.12.83
linux kernel>= 6.13 and < 6.18.24
linux kernel>= 6.19 and < 6.19.14
linux kernel>= 7.0 and < 7.0.1

📦

Fixed versions by distribution

The package version that resolves this CVE on each Linux distribution, from the vendor’s published security data. fixed in shows a patched version exists; open means the package is listed as affected with no fix yet.
rhel 9kernel fixed in 0:5.14.0-687.10.1.el9_8
rhel 9kernel-64k fixed in 0:5.14.0-687.10.1.el9_8
rhel 9kernel-64k-core open
rhel 9kernel-64k-debug open
rhel 9kernel-64k-debug-core open
rhel 9kernel-64k-debug-devel fixed in 0:5.14.0-687.10.1.el9_8
rhel 9kernel-64k-debug-devel-matched open
rhel 9kernel-64k-debug-modules fixed in 0:5.14.0-687.10.1.el9_8
rhel 9kernel-64k-debug-modules-core open
rhel 9kernel-64k-debug-modules-extra open
rhel 9kernel-64k-devel open
rhel 9kernel-64k-devel-matched fixed in 0:5.14.0-687.10.1.el9_8
rhel 9kernel-64k-modules fixed in 0:5.14.0-687.10.1.el9_8
rhel 9kernel-64k-modules-core fixed in 0:5.14.0-687.10.1.el9_8
rhel 9kernel-64k-modules-extra fixed in 0:5.14.0-687.10.1.el9_8
rhel 9kernel-abi-stablelists open
rhel 9kernel-core open
rhel 9kernel-debug fixed in 0:5.14.0-687.10.1.el9_8
rhel 9kernel-debug-core open
rhel 9kernel-debug-devel open
rhel 9kernel-debug-devel-matched fixed in 0:5.14.0-687.10.1.el9_8
rhel 9kernel-debug-modules fixed in 0:5.14.0-687.10.1.el9_8
rhel 9kernel-debug-modules-core fixed in 0:5.14.0-687.10.1.el9_8
rhel 9kernel-debug-modules-extra fixed in 0:5.14.0-687.10.1.el9_8
rhel 9kernel-debug-uki-virt open
rhel 9kernel-devel open
rhel 9kernel-devel-matched fixed in 0:5.14.0-687.10.1.el9_8
rhel 9kernel-modules fixed in 0:5.14.0-687.10.1.el9_8
rhel 9kernel-modules-core fixed in 0:5.14.0-687.10.1.el9_8
rhel 9kernel-modules-extra open
rhel 9kernel-rt fixed in 0:5.14.0-687.10.1.el9_8
rhel 9kernel-rt-64k open
rhel 9kernel-rt-64k-core open
rhel 9kernel-rt-64k-debug fixed in 0:5.14.0-687.10.1.el9_8
rhel 9kernel-rt-64k-debug-core open
rhel 9kernel-rt-64k-debug-devel fixed in 0:5.14.0-687.10.1.el9_8
rhel 9kernel-rt-64k-debug-modules fixed in 0:5.14.0-687.10.1.el9_8
rhel 9kernel-rt-64k-debug-modules-core fixed in 0:5.14.0-687.10.1.el9_8
rhel 9kernel-rt-64k-debug-modules-extra fixed in 0:5.14.0-687.10.1.el9_8
rhel 9kernel-rt-64k-devel open
rhel 9kernel-rt-64k-modules fixed in 0:5.14.0-687.10.1.el9_8
rhel 9kernel-rt-64k-modules-core fixed in 0:5.14.0-687.10.1.el9_8
rhel 9kernel-rt-64k-modules-extra fixed in 0:5.14.0-687.10.1.el9_8
rhel 9kernel-rt-core fixed in 0:5.14.0-687.10.1.el9_8
rhel 9kernel-rt-debug open
rhel 9kernel-rt-debug-core fixed in 0:5.14.0-687.10.1.el9_8
rhel 9kernel-rt-debug-devel fixed in 0:5.14.0-687.10.1.el9_8
rhel 9kernel-rt-debug-modules fixed in 0:5.14.0-687.10.1.el9_8
rhel 9kernel-rt-debug-modules-core open
rhel 9kernel-rt-debug-modules-extra open
rhel 9kernel-rt-devel open
rhel 9kernel-rt-modules fixed in 0:5.14.0-687.10.1.el9_8
rhel 9kernel-rt-modules-core open
rhel 9kernel-rt-modules-extra open
rhel 9kernel-tools open
rhel 9kernel-tools-libs open
rhel 9kernel-tools-libs-devel fixed in 0:5.14.0-687.10.1.el9_8
rhel 9kernel-uki-virt fixed in 0:5.14.0-687.10.1.el9_8
rhel 9kernel-uki-virt-addons open
rhel 9kernel-zfcpdump fixed in 0:5.14.0-687.10.1.el9_8
rhel 9kernel-zfcpdump-core open
rhel 9kernel-zfcpdump-devel fixed in 0:5.14.0-687.10.1.el9_8
rhel 9kernel-zfcpdump-devel-matched open
rhel 9kernel-zfcpdump-modules fixed in 0:5.14.0-687.10.1.el9_8
rhel 9kernel-zfcpdump-modules-core fixed in 0:5.14.0-687.10.1.el9_8
rhel 9kernel-zfcpdump-modules-extra open
rhel 9libperf open
rhel 9perf open
rhel 9python3-perf open
rhel 9rtla fixed in 0:5.14.0-687.10.1.el9_8
rhel 9rv fixed in 0:5.14.0-687.10.1.el9_8
suse sle15cluster-md-kmp-default fixed in 0:5.14.21-150500.55.166.1
suse sle15cluster-md-kmp-rt fixed in 0:6.4.0-150700.7.54.1
suse sle15dlm-kmp-default fixed in 0:6.4.0-150600.23.112.1
suse sle15dlm-kmp-rt fixed in 0:6.4.0-150700.7.54.1
suse sle15gfs2-kmp-default fixed in 0:6.4.0-150600.23.112.1
suse sle15gfs2-kmp-rt fixed in 0:6.4.0-150700.7.54.1
suse sle15kernel-64kb fixed in 0:5.14.21-150500.55.166.1
suse sle15kernel-azure fixed in 0:6.4.0-150700.53.55.1
suse sle15kernel-default fixed in 0:6.4.0-150700.53.55.1

▣

Scoring & Timeline

9.8

CRITICAL · CVSS v3.1 · 416baaa9-dc9f-4396-8d5f-8c081fb06d67

View on NVD

Attack Vector

Network Adjacent Local Physical

Attack Complexity

Low High

Privileges Required

None Low High

User Interaction

None Required

Scope

Unchanged Changed

Confidentiality

None Low High

Integrity

None Low High

Availability

None Low High

Published to NVD24 Apr 2026 · 03:16 PM

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

⚑

Vendor Advisories

suse-csafSUSE-SU-2026:2317-1
suse-csafSUSE-SU-2026:2238-1
suse-csafSUSE-SU-2026:2215-1
suse-csafSUSE-SU-2026:2216-1
suse-csafSUSE-SU-2026:2217-1
Show all 20 vendor advisoriessuse-csafSUSE-SU-2026:2195-1
suse-csafSUSE-SU-2026:2202-1
suse-csafSUSE-SU-2026:2111-1
suse-csafSUSE-SU-2026:21876-1
suse-csafSUSE-SU-2026:21877-1
suse-csafSUSE-SU-2026:21916-1
suse-csafSUSE-SU-2026:21919-1
suse-csafSUSE-SU-2026:2068-1
rhsaRHSA-2026:19569Important
rhsaRHSA-2026:19568Important
suse-csafopenSUSE-SU-2026:10703-1
rhsaRHSA-2026:23224Moderate
rhsaRHSA-2026:24343Moderate
rhsaRHSA-2026:25095Moderate
msrcCVE-2026-31607

🔗

References & Sources

Source URLs (vendor pages, mailing lists, write-ups). Exploit/PoC links are in their own section above to avoid duplication.

https://git.kernel.org/stable/c/2ab833a16a825373aad2ba7d54b572b277e95b71Patch

https://git.kernel.org/stable/c/5e1c4ece08ccdc197177631f111845a2c68eede3Patch

https://git.kernel.org/stable/c/885c8591784da6314f9aa82fa460ac69f9f79e5fPatch

https://git.kernel.org/stable/c/8d155e2d1c4102f74f82a2bf9c016164bb0f7384Patch

https://git.kernel.org/stable/c/906f16a836de13fe61f49cdce2f66f2dbd14caf4Patch

https://git.kernel.org/stable/c/ef8ebb1c637b4cfb61a9dd2e013376774ee2033bPatch

Show all 9 references

https://git.kernel.org/stable/c/324262c38438255bf6bdbf6342ca47c0badaab76

https://git.kernel.org/stable/c/973f2c250289f5bf6cc146b98aa6fdde11fe50d6

https://git.kernel.org/stable/c/ce744264b06b97069b3722511ab355738311fee0