CVE-2026-31615 - Vulnerability Details

- usb: gadget: renesas_usb3: validate endpoint index in standard request handlers

Description

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: renesas_usb3: validate endpoint index in standard request handlers

The GET_STATUS and SET/CLEAR_FEATURE handlers extract the endpoint
number from the host-supplied wIndex without any sort of validation.
Fix this up by validating the number of endpoints actually match up with
the number the device has before attempting to dereference a pointer
based on this math.

This is just like what was done in commit ee0d382feb44 ("usb: gadget:
aspeed_udc: validate endpoint index for ast udc") for the aspeed driver.

Published: 2026-04-24

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability exists in the Renesas USB3 gadget driver. The GET_STATUS and SET/CLEAR_FEATURE request handlers extract the endpoint number from the host‑supplied wIndex without validating that the number of endpoints matches the device’s actual count. This oversight can cause a pointer dereference in kernel space based on an out‑of‑range index, leading to a kernel panic or other crash. The result is a loss of the gadget’s functionality and a denial of service to the device.

Affected Systems

All Linux kernel distributions that ship the renesas_usb3 gadget driver are affected. The flaw applies to kernel releases prior to the commit that introduces endpoint index validation; specific affected kernel versions are not enumerated in the advisory.

Risk and Exploitability

The CVSS score of 5.5 places this issue in the medium severity range. The EPSS score is below 1 %, indicating a low likelihood that this vulnerability will be exploited in the wild. It is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker could trigger the flaw by sending a USB control request with an invalid wIndex value to the gadget device from a USB host; a successful exploit would cause a kernel crash and a temporary loss of the device’s functionality.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`746bfe63bba37ad55956b7377c9af494e7e28929`	affected	< 1b2bfedccc4fb8c9572e1ea464f905424c91de2a
`746bfe63bba37ad55956b7377c9af494e7e28929`	affected	< adb8014599fdf0818d3d93f1f74e06cd0bdec08d
`746bfe63bba37ad55956b7377c9af494e7e28929`	affected	< 44216e3dd4455b798899b50eedb0ec3831dff8e0
`746bfe63bba37ad55956b7377c9af494e7e28929`	affected	< 37f430b2240655e6b0199a92aa1057e4d621be51
`746bfe63bba37ad55956b7377c9af494e7e28929`	affected	< e3d42598f2995cdc07b7779874e7c5f8a1b773db
`746bfe63bba37ad55956b7377c9af494e7e28929`	affected	< f880aac8a57ebd92abfa685d45424b2998ac1059

Linux

affected

Version	Status	Constraints
`4.5`	affected	—
`0`	unaffected	< 4.5
`6.6.136`	unaffected	≤ 6.6.*
`6.12.83`	unaffected	≤ 6.12.*
`6.18.24`	unaffected	≤ 6.18.*
`6.19.14`	unaffected	≤ 6.19.*
`7.0.1`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[746bfe63bba37ad55956b7377c9af494e7e28929,1b2bfedccc4fb8c9572e1ea464f905424c91de2a)`	affected	code_commit	—
`[746bfe63bba37ad55956b7377c9af494e7e28929,adb8014599fdf0818d3d93f1f74e06cd0bdec08d)`	affected	code_commit	—
`[746bfe63bba37ad55956b7377c9af494e7e28929,44216e3dd4455b798889b50eedb0ec3831dff8e0)`	affected	code_commit	—
`[746bfe63bba37ad55956b7377c9af494e7e28929,37f430b2240655e6b0199a92aa1057e4d621be51)`	affected	code_commit	—
`[746bfe63bba37ad55956b7377c9af494e7e28929,e3d42598f2995cdc07b7779874e7c5f8a1b773db)`	affected	code_commit	—
`[746bfe63bba37ad55956b7377c9af494e7e28929,f880aac8a57ebd92abfa685d45424b2998ac1059)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`4.5`	affected	generic	—
`[0,4.5)`	unaffected	generic	—
`[6.6.136,6.7.0)`	unaffected	semver	—
`[6.12.83,6.13.0)`	unaffected	semver	—
`[6.18.24,6.19.0)`	unaffected	semver	—
`[6.19.14,6.20.0)`	unaffected	semver	—
`[7.0.1,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the kernel patch that validates the endpoint index before dereferencing the control‑transfer buffer, thereby correcting the index‑out‑of‑bounds bug (CWE‑1285) and preventing null pointer dereferences (CWE‑476).
If an immediate kernel upgrade is not feasible, temporarily disable the Renesas USB3 gadget driver or disconnect the device from USB hosts until the patch is applied to mitigate the risk of out‑of‑bounds dereferences.
Add a module blacklist entry (for example, /etc/modprobe.d/blacklist-renesas_usb3.conf) to prevent automatic loading of the renesas_usb3 driver when the gadget functionality is not required, thereby reducing exposure to the index validation flaw.

Generated by OpenCVE AI on April 29, 2026 at 01:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6238-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/1b2bfedccc4fb8c9572e1ea464f905424c91de2a
https://git.kernel.org/stable/c/37f430b2240655e6b0199a92aa1057e4d621be51
https://git.kernel.org/stable/c/44216e3dd4455b798899b50eedb0ec3831dff8e0
https://git.kernel.org/stable/c/adb8014599fdf0818d3d93f1f74e06cd0bdec08d
https://git.kernel.org/stable/c/e3d42598f2995cdc07b7779874e7c5f8a1b773db
https://git.kernel.org/stable/c/f880aac8a57ebd92abfa685d45424b2998ac1059
https://lore.kernel.org/linux-cve-announce/2026042423-CVE-2026-31615-f19f@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31615
https://www.cve.org/CVERecord?id=CVE-2026-31615

History

Tue, 28 Apr 2026 17:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Mon, 27 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/1b2bfedccc4fb8c9572e1ea464f905424c91de2a

Mon, 27 Apr 2026 11:30:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/f880aac8a57ebd92abfa685d45424b2998ac1059

Sat, 25 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-1285
References		https://lore.kernel.org/linux-cve-announce/2026042423-CVE-2026-31615-f19f@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31615 https://www.cve.org/CVERecord?id=CVE-2026-31615

Fri, 24 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: usb: gadget: renesas_usb3: validate endpoint index in standard request handlers The GET_STATUS and SET/CLEAR_FEATURE handlers extract the endpoint number from the host-supplied wIndex without any sort of validation. Fix this up by validating the number of endpoints actually match up with the number the device has before attempting to dereference a pointer based on this math. This is just like what was done in commit ee0d382feb44 ("usb: gadget: aspeed_udc: validate endpoint index for ast udc") for the aspeed driver.
Title		usb: gadget: renesas_usb3: validate endpoint index in standard request handlers
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/37f430b2240655e6b0199a92aa1057e4d621be51 https://git.kernel.org/stable/c/44216e3dd4455b798899b50eedb0ec3831dff8e0 https://git.kernel.org/stable/c/adb8014599fdf0818d3d93f1f74e06cd0bdec08d https://git.kernel.org/stable/c/e3d42598f2995cdc07b7779874e7c5f8a1b773db

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-24T14:42:34.806Z

Updated: 2026-05-11T22:12:13.975Z

Reserved: 2026-03-09T15:48:24.123Z

Link: CVE-2026-31615

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-04-24T15:16:40.767

Modified: 2026-04-28T17:29:26.373

Link: CVE-2026-31615

Redhat

Severity :

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31615 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-29T01:45:26Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object