Description
In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks()

The `check_command_size_in_blocks()` function calculates the data size
in bytes by left shifting `common->data_size_from_cmnd` by the block
size (`common->curlun->blkbits`). However, it does not validate whether
this shift operation will cause an integer overflow.

Initially, the block size is set up in `fsg_lun_open()` , and the
`common->data_size_from_cmnd` is set up in `do_scsi_command()`. During
initialization, there is no integer overflow check for the interaction
between two variables.

So if a malicious USB host sends a SCSI READ or WRITE command
requesting a large amount of data (`common->data_size_from_cmnd`), the
left shift operation can wrap around. This results in a truncated data
size, which can bypass boundary checks and potentially lead to memory
corruption or out-of-bounds accesses.

Fix this by using the check_shl_overflow() macro to safely perform the
shift and catch any overflows.
Published: 2026-04-10
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw lies in the f_mass_storage driver, where the function check_command_size_in_blocks() shifts a size value by the block size without checking for overflow. If a host issues a SCSI READ or WRITE command that requests a large data size, the shift can wrap, producing a truncated value. This bypasses buffer boundary checks and can lead to memory corruption or out‑of‑bounds accesses inside the kernel. The weakness corresponds to an unchecked shift operator vulnerability. This overflow is a classic integer overflow issue (CWE-190).\n

Affected Systems

Affected are all Linux kernel builds that include the f_mass_storage gadget driver and have not applied the patch referred to in the commit logs. No specific kernel version range is listed, so any kernel with the default f_mass_storage implementation is potentially vulnerable.\n

Risk and Exploitability

According to the available metrics, the EPSS score is below 1 % and the vulnerability is not listed in the CISA KEV catalog, indicating low current exploitation probability. However, a malicious USB host controlling SCSI commands could trigger the overflow. The attack requires physical or remote access to a USB host that can exchange SCSI commands with the device, and exploitation would likely result in kernel memory corruption, potentially escalating privileges or causing a crash. The CVSS score of 5.5 indicates a moderate level of severity.

Generated by OpenCVE AI on May 20, 2026 at 17:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a Linux kernel update that includes the patch for check_shl_overflow() in the f_mass_storage driver (see commit logs provided in the references).
  • If an immediate kernel upgrade is not feasible, disable the f_mass_storage gadget module or restrict USB access to trusted hosts to prevent malicious SCSI command injection.
  • Verify that the kernel configuration has the f_mass_storage gadget enabled only on platforms that require it, and consider enabling kernel bounds checking or address space layout randomization to reduce the impact of potential memory corruption.

Generated by OpenCVE AI on May 20, 2026 at 17:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Wed, 20 May 2026 16:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Sat, 11 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1335
References

Fri, 10 Apr 2026 11:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks() The `check_command_size_in_blocks()` function calculates the data size in bytes by left shifting `common->data_size_from_cmnd` by the block size (`common->curlun->blkbits`). However, it does not validate whether this shift operation will cause an integer overflow. Initially, the block size is set up in `fsg_lun_open()` , and the `common->data_size_from_cmnd` is set up in `do_scsi_command()`. During initialization, there is no integer overflow check for the interaction between two variables. So if a malicious USB host sends a SCSI READ or WRITE command requesting a large amount of data (`common->data_size_from_cmnd`), the left shift operation can wrap around. This results in a truncated data size, which can bypass boundary checks and potentially lead to memory corruption or out-of-bounds accesses. Fix this by using the check_shl_overflow() macro to safely perform the shift and catch any overflows.
Title usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:08:12.685Z

Reserved: 2026-03-09T15:48:24.087Z

Link: CVE-2026-31412

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T11:16:22.967

Modified: 2026-05-20T15:54:46.070

Link: CVE-2026-31412

cve-icon Redhat

Severity :

Publid Date: 2026-04-10T00:00:00Z

Links: CVE-2026-31412 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T17:45:36Z

Weaknesses