CVE-2026-31607 (GCVE-0-2026-31607)

Vulnerability from cvelistv5 – Published: 2026-04-24 14:42 – Updated: 2026-06-30 12:07
VLAI
Title
usbip: validate number_of_packets in usbip_pack_ret_submit()
Summary
In the Linux kernel, the following vulnerability has been resolved: usbip: validate number_of_packets in usbip_pack_ret_submit() When a USB/IP client receives a RET_SUBMIT response, usbip_pack_ret_submit() unconditionally overwrites urb->number_of_packets from the network PDU. This value is subsequently used as the loop bound in usbip_recv_iso() and usbip_pad_iso() to iterate over urb->iso_frame_desc[], a flexible array whose size was fixed at URB allocation time based on the *original* number_of_packets from the CMD_SUBMIT. A malicious USB/IP server can set number_of_packets in the response to a value larger than what was originally submitted, causing a heap out-of-bounds write when usbip_recv_iso() writes to urb->iso_frame_desc[i] beyond the allocated region. KASAN confirmed this with kernel 7.0.0-rc5: BUG: KASAN: slab-out-of-bounds in usbip_recv_iso+0x46a/0x640 Write of size 4 at addr ffff888106351d40 by task vhci_rx/69 The buggy address is located 0 bytes to the right of allocated 320-byte region [ffff888106351c00, ffff888106351d40) The server side (stub_rx.c) and gadget side (vudc_rx.c) already validate number_of_packets in the CMD_SUBMIT path since commits c6688ef9f297 ("usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input") and b78d830f0049 ("usbip: fix vudc_rx: harden CMD_SUBMIT path to handle malicious input"). The server side validates against USBIP_MAX_ISO_PACKETS because no URB exists yet at that point. On the client side we have the original URB, so we can use the tighter bound: the response must not exceed the original number_of_packets. This mirrors the existing validation of actual_length against transfer_buffer_length in usbip_recv_xbuff(), which checks the response value against the original allocation size. Kelvin Mbogo's series ("usb: usbip: fix integer overflow in usbip_recv_iso()", v2) hardens the receive-side functions themselves; this patch complements that work by catching the bad value at its source -- in usbip_pack_ret_submit() before the overwrite -- and using the tighter per-URB allocation bound rather than the global USBIP_MAX_ISO_PACKETS limit. Fix this by checking rpdu->number_of_packets against urb->number_of_packets in usbip_pack_ret_submit() before the overwrite. On violation, clamp to zero so that usbip_recv_iso() and usbip_pad_iso() safely return early.
CWE
  • CWE-805 - Buffer Access with Incorrect Length Value
Assigner
Impacted products
Vendor Product Version
Linux Linux Affected: 1325f85fa49f57df034869de430f7c302ae23109 , < 324262c38438255bf6bdbf6342ca47c0badaab76 (git)
Affected: 1325f85fa49f57df034869de430f7c302ae23109 , < 973f2c250289f5bf6cc146b98aa6fdde11fe50d6 (git)
Affected: 1325f85fa49f57df034869de430f7c302ae23109 , < ce744264b06b97069b3722511ab355738311fee0 (git)
Affected: 1325f85fa49f57df034869de430f7c302ae23109 , < 885c8591784da6314f9aa82fa460ac69f9f79e5f (git)
Affected: 1325f85fa49f57df034869de430f7c302ae23109 , < 8d155e2d1c4102f74f82a2bf9c016164bb0f7384 (git)
Affected: 1325f85fa49f57df034869de430f7c302ae23109 , < 906f16a836de13fe61f49cdce2f66f2dbd14caf4 (git)
Affected: 1325f85fa49f57df034869de430f7c302ae23109 , < ef8ebb1c637b4cfb61a9dd2e013376774ee2033b (git)
Affected: 1325f85fa49f57df034869de430f7c302ae23109 , < 5e1c4ece08ccdc197177631f111845a2c68eede3 (git)
Affected: 1325f85fa49f57df034869de430f7c302ae23109 , < 2ab833a16a825373aad2ba7d54b572b277e95b71 (git)
Affected: d9638d9236eed035a575feddec61d036dacc2676 (git)
Affected: ca7d3501b7a287c18b5b470e871d3029b0f4842a (git)
Affected: 1ce528277e1a66856ed3f7526c1e3458c0ed4a70 (git)
Affected: db898d0c5c493ce4177d5e1d3a953e079a56a24b (git)
Affected: 5aa02704b9ee67c5b2ee26d54c5f4eb99e93ba9a (git)
Affected: 2.6.32.37 , < 2.6.33 (semver)
Affected: 2.6.33.10 , < 2.6.34 (semver)
Affected: 2.6.34.11 , < 2.6.35 (semver)
Affected: 2.6.35.13 , < 2.6.36 (semver)
Affected: 2.6.38.3 , < 2.6.39 (semver)
Create a notification for this product.
Linux Linux Affected: 2.6.39
Unaffected: 0 , < 2.6.39 (semver)
Unaffected: 5.10.258 , ≤ 5.10.* (semver)
Unaffected: 5.15.209 , ≤ 5.15.* (semver)
Unaffected: 6.1.175 , ≤ 6.1.* (semver)
Unaffected: 6.6.136 , ≤ 6.6.* (semver)
Unaffected: 6.12.83 , ≤ 6.12.* (semver)
Unaffected: 6.18.24 , ≤ 6.18.* (semver)
Unaffected: 6.19.14 , ≤ 6.19.* (semver)
Unaffected: 7.0.1 , ≤ 7.0.* (semver)
Unaffected: 7.1 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Red Hat Red Hat Enterprise Linux Server (v. 7 ELS)     cpe:/o:redhat:rhel_els:7
Create a notification for this product.
Red Hat Red Hat Enterprise Linux Server Optional (v. 7 ELS)     cpe:/o:redhat:rhel_els:7
Create a notification for this product.
Red Hat Red Hat Enterprise Linux AppStream EUS (v. 10.0)     cpe:/o:redhat:enterprise_linux_eus:10.0
Create a notification for this product.
Red Hat Red Hat Enterprise Linux AppStream (v. 10)     cpe:/o:redhat:enterprise_linux:10.2
Create a notification for this product.
Red Hat Red Hat Enterprise Linux AppStream EUS (v.9.6)     cpe:/a:redhat:rhel_eus:9.6::appstream
Create a notification for this product.
Red Hat Red Hat Enterprise Linux AppStream (v. 9)     cpe:/a:redhat:enterprise_linux:9::appstream
Create a notification for this product.
Red Hat Red Hat Enterprise Linux BaseOS EUS (v. 10.0)     cpe:/o:redhat:enterprise_linux_eus:10.0
Create a notification for this product.
Red Hat Red Hat Enterprise Linux BaseOS (v. 10)     cpe:/o:redhat:enterprise_linux:10.2
Create a notification for this product.
Red Hat Red Hat Enterprise Linux BaseOS EUS (v.9.6)     cpe:/o:redhat:rhel_eus:9.6::baseos
Create a notification for this product.
Red Hat Red Hat Enterprise Linux BaseOS (v. 9)     cpe:/o:redhat:enterprise_linux:9::baseos
Create a notification for this product.
Red Hat Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)     cpe:/o:redhat:enterprise_linux_eus:10.0
Create a notification for this product.
Red Hat Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)     cpe:/o:redhat:enterprise_linux:10.2
Create a notification for this product.
Red Hat Red Hat CodeReady Linux Builder EUS (v.9.6)     cpe:/a:redhat:rhel_eus:9.6::crb
Create a notification for this product.
Red Hat Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)     cpe:/a:redhat:enterprise_linux:9::crb
Create a notification for this product.
Red Hat Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)     cpe:/o:redhat:enterprise_linux_eus:10.0
Create a notification for this product.
Red Hat Red Hat Enterprise Linux Real Time for NFV (v. 10)     cpe:/o:redhat:enterprise_linux:10.2
Create a notification for this product.
Red Hat Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)     cpe:/a:redhat:rhel_eus:9.6::nfv
Create a notification for this product.
Red Hat Red Hat Enterprise Linux Real Time for NFV (v. 9)     cpe:/a:redhat:enterprise_linux:9::nfv
Create a notification for this product.
Red Hat Red Hat Enterprise Linux Real Time EUS (v. 10.0)     cpe:/o:redhat:enterprise_linux_eus:10.0
Create a notification for this product.
Red Hat Red Hat Enterprise Linux Real Time (v. 10)     cpe:/o:redhat:enterprise_linux:10.2
Create a notification for this product.
Red Hat Red Hat Enterprise Linux Real Time EUS (v.9.6)     cpe:/a:redhat:rhel_eus:9.6::realtime
Create a notification for this product.
Red Hat Red Hat Enterprise Linux Real Time (v. 9)     cpe:/a:redhat:enterprise_linux:9::realtime
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 7     cpe:/o:redhat:enterprise_linux:7
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 9     cpe:/o:redhat:enterprise_linux:9
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 6     cpe:/o:redhat:enterprise_linux:6
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:/o:redhat:rhel_els:7"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux Server (v. 7 ELS)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:rhel_els:7"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux Server Optional (v. 7 ELS)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux_eus:10.0"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:10.2"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream (v. 10)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_eus:9.6::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:enterprise_linux:9::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream (v. 9)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux_eus:10.0"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux BaseOS EUS (v. 10.0)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:10.2"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux BaseOS (v. 10)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:rhel_eus:9.6::baseos"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux BaseOS EUS (v.9.6)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:9::baseos"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux BaseOS (v. 9)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux_eus:10.0"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:10.2"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_eus:9.6::crb"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:enterprise_linux:9::crb"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux_eus:10.0"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:10.2"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux Real Time for NFV (v. 10)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_eus:9.6::nfv"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:enterprise_linux:9::nfv"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux Real Time for NFV (v. 9)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux_eus:10.0"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux Real Time EUS (v. 10.0)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:10.2"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux Real Time (v. 10)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_eus:9.6::realtime"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux Real Time EUS (v.9.6)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:enterprise_linux:9::realtime"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux Real Time (v. 9)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:7"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux 7",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux 9",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:6"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat Enterprise Linux 6",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:8"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat Enterprise Linux 8",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-04-24T00:00:00.000Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A flaw was found in the Linux kernel\u0027s USB/IP subsystem. A malicious USB/IP server could exploit a vulnerability in the `usbip_pack_ret_submit()` function by sending a specially crafted `RET_SUBMIT` response. This response, containing an oversized `number_of_packets` value, could cause a heap out-of-bounds write. This issue may lead to a denial of service or potentially arbitrary code execution on the client system."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.3,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "LOW",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-805",
                "description": "Buffer Access with Incorrect Length Value",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-30T12:07:49.615Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-31607"
          },
          {
            "name": "RHBZ#2461521",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461521"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-31607.json"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:25095"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:24343"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:19569"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:23224"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:19568"
          }
        ],
        "solutions": [
          {
            "lang": "en",
            "value": "RHSA-2026:25095: Red Hat Enterprise Linux Server (v. 7 ELS), Red Hat Enterprise Linux Server Optional (v. 7 ELS)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:24343: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux BaseOS EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0), Red Hat Enterprise Linux Real Time EUS (v. 10.0), Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:19569: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux Real Time (v. 10), Red Hat Enterprise Linux Real Time for NFV (v. 10)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:23224: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6), Red Hat Enterprise Linux Real Time EUS (v.9.6), Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:19568: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux Real Time (v. 9), Red Hat Enterprise Linux Real Time for NFV (v. 9)"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-04-24T00:00:00.000Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-04-24T00:00:00.000Z",
            "value": "Made public."
          }
        ],
        "title": "kernel: usbip: validate number_of_packets in usbip_pack_ret_submit()",
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/usbip/usbip_common.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "324262c38438255bf6bdbf6342ca47c0badaab76",
              "status": "affected",
              "version": "1325f85fa49f57df034869de430f7c302ae23109",
              "versionType": "git"
            },
            {
              "lessThan": "973f2c250289f5bf6cc146b98aa6fdde11fe50d6",
              "status": "affected",
              "version": "1325f85fa49f57df034869de430f7c302ae23109",
              "versionType": "git"
            },
            {
              "lessThan": "ce744264b06b97069b3722511ab355738311fee0",
              "status": "affected",
              "version": "1325f85fa49f57df034869de430f7c302ae23109",
              "versionType": "git"
            },
            {
              "lessThan": "885c8591784da6314f9aa82fa460ac69f9f79e5f",
              "status": "affected",
              "version": "1325f85fa49f57df034869de430f7c302ae23109",
              "versionType": "git"
            },
            {
              "lessThan": "8d155e2d1c4102f74f82a2bf9c016164bb0f7384",
              "status": "affected",
              "version": "1325f85fa49f57df034869de430f7c302ae23109",
              "versionType": "git"
            },
            {
              "lessThan": "906f16a836de13fe61f49cdce2f66f2dbd14caf4",
              "status": "affected",
              "version": "1325f85fa49f57df034869de430f7c302ae23109",
              "versionType": "git"
            },
            {
              "lessThan": "ef8ebb1c637b4cfb61a9dd2e013376774ee2033b",
              "status": "affected",
              "version": "1325f85fa49f57df034869de430f7c302ae23109",
              "versionType": "git"
            },
            {
              "lessThan": "5e1c4ece08ccdc197177631f111845a2c68eede3",
              "status": "affected",
              "version": "1325f85fa49f57df034869de430f7c302ae23109",
              "versionType": "git"
            },
            {
              "lessThan": "2ab833a16a825373aad2ba7d54b572b277e95b71",
              "status": "affected",
              "version": "1325f85fa49f57df034869de430f7c302ae23109",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "d9638d9236eed035a575feddec61d036dacc2676",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "ca7d3501b7a287c18b5b470e871d3029b0f4842a",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "1ce528277e1a66856ed3f7526c1e3458c0ed4a70",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "db898d0c5c493ce4177d5e1d3a953e079a56a24b",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "5aa02704b9ee67c5b2ee26d54c5f4eb99e93ba9a",
              "versionType": "git"
            },
            {
              "lessThan": "2.6.33",
              "status": "affected",
              "version": "2.6.32.37",
              "versionType": "semver"
            },
            {
              "lessThan": "2.6.34",
              "status": "affected",
              "version": "2.6.33.10",
              "versionType": "semver"
            },
            {
              "lessThan": "2.6.35",
              "status": "affected",
              "version": "2.6.34.11",
              "versionType": "semver"
            },
            {
              "lessThan": "2.6.36",
              "status": "affected",
              "version": "2.6.35.13",
              "versionType": "semver"
            },
            {
              "lessThan": "2.6.39",
              "status": "affected",
              "version": "2.6.38.3",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/usbip/usbip_common.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.39"
            },
            {
              "lessThan": "2.6.39",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.209",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.175",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.136",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.258",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.209",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.175",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.136",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.83",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.24",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.14",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.1",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1",
                  "versionStartIncluding": "2.6.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "2.6.32.37",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "2.6.33.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "2.6.34.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "2.6.35.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "2.6.38.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbip: validate number_of_packets in usbip_pack_ret_submit()\n\nWhen a USB/IP client receives a RET_SUBMIT response,\nusbip_pack_ret_submit() unconditionally overwrites\nurb-\u003enumber_of_packets from the network PDU. This value is\nsubsequently used as the loop bound in usbip_recv_iso() and\nusbip_pad_iso() to iterate over urb-\u003eiso_frame_desc[], a flexible\narray whose size was fixed at URB allocation time based on the\n*original* number_of_packets from the CMD_SUBMIT.\n\nA malicious USB/IP server can set number_of_packets in the response\nto a value larger than what was originally submitted, causing a heap\nout-of-bounds write when usbip_recv_iso() writes to\nurb-\u003eiso_frame_desc[i] beyond the allocated region.\n\nKASAN confirmed this with kernel 7.0.0-rc5:\n\n  BUG: KASAN: slab-out-of-bounds in usbip_recv_iso+0x46a/0x640\n  Write of size 4 at addr ffff888106351d40 by task vhci_rx/69\n\n  The buggy address is located 0 bytes to the right of\n   allocated 320-byte region [ffff888106351c00, ffff888106351d40)\n\nThe server side (stub_rx.c) and gadget side (vudc_rx.c) already\nvalidate number_of_packets in the CMD_SUBMIT path since commits\nc6688ef9f297 (\"usbip: fix stub_rx: harden CMD_SUBMIT path to handle\nmalicious input\") and b78d830f0049 (\"usbip: fix vudc_rx: harden\nCMD_SUBMIT path to handle malicious input\"). The server side validates\nagainst USBIP_MAX_ISO_PACKETS because no URB exists yet at that point.\nOn the client side we have the original URB, so we can use the tighter\nbound: the response must not exceed the original number_of_packets.\n\nThis mirrors the existing validation of actual_length against\ntransfer_buffer_length in usbip_recv_xbuff(), which checks the\nresponse value against the original allocation size.\n\nKelvin Mbogo\u0027s series (\"usb: usbip: fix integer overflow in\nusbip_recv_iso()\", v2) hardens the receive-side functions themselves;\nthis patch complements that work by catching the bad value at its\nsource -- in usbip_pack_ret_submit() before the overwrite -- and\nusing the tighter per-URB allocation bound rather than the global\nUSBIP_MAX_ISO_PACKETS limit.\n\nFix this by checking rpdu-\u003enumber_of_packets against\nurb-\u003enumber_of_packets in usbip_pack_ret_submit() before the\noverwrite. On violation, clamp to zero so that usbip_recv_iso() and\nusbip_pad_iso() safely return early."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:42:48.408Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/324262c38438255bf6bdbf6342ca47c0badaab76"
        },
        {
          "url": "https://git.kernel.org/stable/c/973f2c250289f5bf6cc146b98aa6fdde11fe50d6"
        },
        {
          "url": "https://git.kernel.org/stable/c/ce744264b06b97069b3722511ab355738311fee0"
        },
        {
          "url": "https://git.kernel.org/stable/c/885c8591784da6314f9aa82fa460ac69f9f79e5f"
        },
        {
          "url": "https://git.kernel.org/stable/c/8d155e2d1c4102f74f82a2bf9c016164bb0f7384"
        },
        {
          "url": "https://git.kernel.org/stable/c/906f16a836de13fe61f49cdce2f66f2dbd14caf4"
        },
        {
          "url": "https://git.kernel.org/stable/c/ef8ebb1c637b4cfb61a9dd2e013376774ee2033b"
        },
        {
          "url": "https://git.kernel.org/stable/c/5e1c4ece08ccdc197177631f111845a2c68eede3"
        },
        {
          "url": "https://git.kernel.org/stable/c/2ab833a16a825373aad2ba7d54b572b277e95b71"
        }
      ],
      "title": "usbip: validate number_of_packets in usbip_pack_ret_submit()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-31607",
    "datePublished": "2026-04-24T14:42:29.468Z",
    "dateReserved": "2026-03-09T15:48:24.122Z",
    "dateUpdated": "2026-06-30T12:07:49.615Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-31607",
      "date": "2026-06-30",
      "epss": "0.00311",
      "percentile": "0.22814"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-31607\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-04-24T15:16:39.940\",\"lastModified\":\"2026-06-30T03:18:25.647\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nusbip: validate number_of_packets in usbip_pack_ret_submit()\\n\\nWhen a USB/IP client receives a RET_SUBMIT response,\\nusbip_pack_ret_submit() unconditionally overwrites\\nurb-\u003enumber_of_packets from the network PDU. This value is\\nsubsequently used as the loop bound in usbip_recv_iso() and\\nusbip_pad_iso() to iterate over urb-\u003eiso_frame_desc[], a flexible\\narray whose size was fixed at URB allocation time based on the\\n*original* number_of_packets from the CMD_SUBMIT.\\n\\nA malicious USB/IP server can set number_of_packets in the response\\nto a value larger than what was originally submitted, causing a heap\\nout-of-bounds write when usbip_recv_iso() writes to\\nurb-\u003eiso_frame_desc[i] beyond the allocated region.\\n\\nKASAN confirmed this with kernel 7.0.0-rc5:\\n\\n  BUG: KASAN: slab-out-of-bounds in usbip_recv_iso+0x46a/0x640\\n  Write of size 4 at addr ffff888106351d40 by task vhci_rx/69\\n\\n  The buggy address is located 0 bytes to the right of\\n   allocated 320-byte region [ffff888106351c00, ffff888106351d40)\\n\\nThe server side (stub_rx.c) and gadget side (vudc_rx.c) already\\nvalidate number_of_packets in the CMD_SUBMIT path since commits\\nc6688ef9f297 (\\\"usbip: fix stub_rx: harden CMD_SUBMIT path to handle\\nmalicious input\\\") and b78d830f0049 (\\\"usbip: fix vudc_rx: harden\\nCMD_SUBMIT path to handle malicious input\\\"). The server side validates\\nagainst USBIP_MAX_ISO_PACKETS because no URB exists yet at that point.\\nOn the client side we have the original URB, so we can use the tighter\\nbound: the response must not exceed the original number_of_packets.\\n\\nThis mirrors the existing validation of actual_length against\\ntransfer_buffer_length in usbip_recv_xbuff(), which checks the\\nresponse value against the original allocation size.\\n\\nKelvin Mbogo\u0027s series (\\\"usb: usbip: fix integer overflow in\\nusbip_recv_iso()\\\", v2) hardens the receive-side functions themselves;\\nthis patch complements that work by catching the bad value at its\\nsource -- in usbip_pack_ret_submit() before the overwrite -- and\\nusing the tighter per-URB allocation bound rather than the global\\nUSBIP_MAX_ISO_PACKETS limit.\\n\\nFix this by checking rpdu-\u003enumber_of_packets against\\nurb-\u003enumber_of_packets in usbip_pack_ret_submit() before the\\noverwrite. On violation, clamp to zero so that usbip_recv_iso() and\\nusbip_pad_iso() safely return early.\"}],\"affected\":[{\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"affectedData\":[{\"vendor\":\"Linux\",\"product\":\"Linux\",\"defaultStatus\":\"unaffected\",\"programFiles\":[\"drivers/usb/usbip/usbip_common.c\"],\"repo\":\"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\",\"versions\":[{\"version\":\"1325f85fa49f57df034869de430f7c302ae23109\",\"lessThan\":\"324262c38438255bf6bdbf6342ca47c0badaab76\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"1325f85fa49f57df034869de430f7c302ae23109\",\"lessThan\":\"973f2c250289f5bf6cc146b98aa6fdde11fe50d6\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"1325f85fa49f57df034869de430f7c302ae23109\",\"lessThan\":\"ce744264b06b97069b3722511ab355738311fee0\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"1325f85fa49f57df034869de430f7c302ae23109\",\"lessThan\":\"885c8591784da6314f9aa82fa460ac69f9f79e5f\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"1325f85fa49f57df034869de430f7c302ae23109\",\"lessThan\":\"8d155e2d1c4102f74f82a2bf9c016164bb0f7384\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"1325f85fa49f57df034869de430f7c302ae23109\",\"lessThan\":\"906f16a836de13fe61f49cdce2f66f2dbd14caf4\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"1325f85fa49f57df034869de430f7c302ae23109\",\"lessThan\":\"ef8ebb1c637b4cfb61a9dd2e013376774ee2033b\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"1325f85fa49f57df034869de430f7c302ae23109\",\"lessThan\":\"5e1c4ece08ccdc197177631f111845a2c68eede3\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"1325f85fa49f57df034869de430f7c302ae23109\",\"lessThan\":\"2ab833a16a825373aad2ba7d54b572b277e95b71\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"d9638d9236eed035a575feddec61d036dacc2676\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"ca7d3501b7a287c18b5b470e871d3029b0f4842a\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"1ce528277e1a66856ed3f7526c1e3458c0ed4a70\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"db898d0c5c493ce4177d5e1d3a953e079a56a24b\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"5aa02704b9ee67c5b2ee26d54c5f4eb99e93ba9a\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"2.6.32.37\",\"lessThan\":\"2.6.33\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"2.6.33.10\",\"lessThan\":\"2.6.34\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"2.6.34.11\",\"lessThan\":\"2.6.35\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"2.6.35.13\",\"lessThan\":\"2.6.36\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"2.6.38.3\",\"lessThan\":\"2.6.39\",\"versionType\":\"semver\",\"status\":\"affected\"}]},{\"vendor\":\"Linux\",\"product\":\"Linux\",\"defaultStatus\":\"affected\",\"programFiles\":[\"drivers/usb/usbip/usbip_common.c\"],\"repo\":\"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\",\"versions\":[{\"version\":\"2.6.39\",\"status\":\"affected\"},{\"version\":\"0\",\"lessThan\":\"2.6.39\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"5.10.258\",\"lessThanOrEqual\":\"5.10.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"5.15.209\",\"lessThanOrEqual\":\"5.15.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.1.175\",\"lessThanOrEqual\":\"6.1.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.6.136\",\"lessThanOrEqual\":\"6.6.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.12.83\",\"lessThanOrEqual\":\"6.12.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.18.24\",\"lessThanOrEqual\":\"6.18.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.19.14\",\"lessThanOrEqual\":\"6.19.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"7.0.1\",\"lessThanOrEqual\":\"7.0.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"7.1\",\"lessThanOrEqual\":\"*\",\"versionType\":\"original_commit_for_fix\",\"status\":\"unaffected\"}]}]},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"affectedData\":[{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux Server (v. 7 ELS)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:rhel_els:7\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux Server Optional (v. 7 ELS)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:rhel_els:7\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AppStream EUS (v. 10.0)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux_eus:10.0\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AppStream (v. 10)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:10.2\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AppStream EUS (v.9.6)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:rhel_eus:9.6::appstream\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux AppStream (v. 9)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:enterprise_linux:9::appstream\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux BaseOS EUS (v. 10.0)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux_eus:10.0\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux BaseOS (v. 10)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:10.2\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux BaseOS EUS (v.9.6)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:rhel_eus:9.6::baseos\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux BaseOS (v. 9)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:9::baseos\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux_eus:10.0\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:10.2\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat CodeReady Linux Builder EUS (v.9.6)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:rhel_eus:9.6::crb\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:enterprise_linux:9::crb\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux Real Time for NFV EUS (v. 10.0)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux_eus:10.0\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux Real Time for NFV (v. 10)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:10.2\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux Real Time for NFV EUS (v.9.6)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:rhel_eus:9.6::nfv\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux Real Time for NFV (v. 9)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:enterprise_linux:9::nfv\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux Real Time EUS (v. 10.0)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux_eus:10.0\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux Real Time (v. 10)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:10.2\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux Real Time EUS (v.9.6)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:rhel_eus:9.6::realtime\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux Real Time (v. 9)\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/a:redhat:enterprise_linux:9::realtime\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux 7\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:7\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux 9\",\"defaultStatus\":\"affected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:9\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux 6\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:6\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux 8\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:8\"]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.5}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-787\"}]},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-805\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.6.39\",\"versionEndExcluding\":\"6.6.136\",\"matchCriteriaId\":\"860F82EF-76BF-492E-B7CE-559EC99F9C95\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.12.83\",\"matchCriteriaId\":\"7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13\",\"versionEndExcluding\":\"6.18.24\",\"matchCriteriaId\":\"8126B8B8-6D0B-4443-86C1-672AEE893555\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.19\",\"versionEndExcluding\":\"6.19.14\",\"matchCriteriaId\":\"D6A8A074-BBF4-4803-ABED-519A839435BB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.0\",\"versionEndExcluding\":\"7.0.1\",\"matchCriteriaId\":\"9B5888AB-7403-4335-89E4-21CC0B48366A\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/2ab833a16a825373aad2ba7d54b572b277e95b71\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/324262c38438255bf6bdbf6342ca47c0badaab76\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5e1c4ece08ccdc197177631f111845a2c68eede3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/885c8591784da6314f9aa82fa460ac69f9f79e5f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/8d155e2d1c4102f74f82a2bf9c016164bb0f7384\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/906f16a836de13fe61f49cdce2f66f2dbd14caf4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/973f2c250289f5bf6cc146b98aa6fdde11fe50d6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ce744264b06b97069b3722511ab355738311fee0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ef8ebb1c637b4cfb61a9dd2e013376774ee2033b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:19568\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:19569\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:23224\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:24343\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:25095\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://access.redhat.com/security/cve/CVE-2026-31607\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2461521\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-31607.json\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…