Description
In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()

A broken/bored/mean USB host can overflow the skb_shared_info->frags[]
array on a Linux gadget exposing a Phonet function by sending an
unbounded sequence of full-page OUT transfers.

pn_rx_complete() finalizes the skb only when req->actual < req->length,
where req->length is set to PAGE_SIZE by the gadget. If the host always
sends exactly PAGE_SIZE bytes per transfer, fp->rx.skb will never be
reset and each completion will add another fragment via
skb_add_rx_frag(). Once nr_frags exceeds MAX_SKB_FRAGS (default 17),
subsequent frag stores overwrite memory adjacent to the shinfo on the
heap.

Drop the skb and account a length error when the frag limit is reached,
matching the fix applied in t7xx by commit f0813bcd2d9d ("net: wwan:
t7xx: fix potential skb->frags overflow in RX path").
Published: 2026-04-24
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory corruption
Action: Apply patch
AI Analysis

Impact

A flaw in the Linux kernel USB gadget Phonet driver allows an attacker to send a sequence of full-page OUT transfers that causes the kernel’s skb_shared_info->frags array to overflow. Each transfer adds a fragment and once the number of fragments exceeds MAX_SKB_FRAGS (default 17), subsequent fragment stores overwrite memory adjacent to the sk_buff helper structure. This results in an out‑of‑bounds write (CWE‑787) and can lead to memory corruption. The kernel also drops the skb and reports a length error when the limit is reached, preventing a memory leak (CWE‑401). The vulnerability exists in any Linux kernel that includes the Phonet gadget driver. No specific kernel version is listed, so all builds containing the unpatched driver are considered vulnerable. The exploit is limited to devices exposing Phonet functionality and interacting with USB hosts capable of sending crafted OUT packets. The CVSS score of 5.5 denotes medium severity, and the EPSS score of less than 1% indicates a very low likelihood of exploitation at present. The vulnerability is not in CISA KEV. Exploitation requires a USB host that can communicate with the gadget and send exact PAGE_SIZE bytes on each transfer, so the attack vector is local and requires physical or logical access to the USB interface.

Affected Systems

All Linux kernel builds that include the Phonet gadget driver are affected. The vendor is the Linux kernel project. No specific version information is provided, so any kernel containing the unpatched driver may be vulnerable. Devices that expose Phonet functionality and connect to a USB host capable of sending numerous full‑page OUT transfers are within scope.

Risk and Exploitability

With a CVSS score of 5.5 the vulnerability rates as medium severity, and the EPSS score of less than 1% suggests exploitation chances are minimal. The vulnerability is not listed in the CISA KEV catalog. Because the overflow occurs only when a host sends a sequence of full‑page OUT transfers that exceed the fragment limit, the required conditions involve a USB host with direct access to the gadget. Successful exploitation could corrupt kernel memory, potentially leading to kernel crashes or privilege escalation, but no confirmed remote code execution is documented.

Generated by OpenCVE AI on April 28, 2026 at 23:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that guards against skb fragmentation overflow in the Phonet driver (commit f0813bcd2d9d).
  • If a kernel update cannot be applied immediately, disable or remove the Phonet gadget module from the kernel configuration to eliminate the vulnerable code path.
  • Restrict USB host access to the gadget device, for example by disabling OTG on untrusted interfaces or configuring udev rules to limit enumeration to trusted hosts.

Generated by OpenCVE AI on April 28, 2026 at 23:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Tue, 28 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
References

Mon, 27 Apr 2026 11:30:00 +0000

Type Values Removed Values Added
References

Sat, 25 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
References

Fri, 24 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete() A broken/bored/mean USB host can overflow the skb_shared_info->frags[] array on a Linux gadget exposing a Phonet function by sending an unbounded sequence of full-page OUT transfers. pn_rx_complete() finalizes the skb only when req->actual < req->length, where req->length is set to PAGE_SIZE by the gadget. If the host always sends exactly PAGE_SIZE bytes per transfer, fp->rx.skb will never be reset and each completion will add another fragment via skb_add_rx_frag(). Once nr_frags exceeds MAX_SKB_FRAGS (default 17), subsequent frag stores overwrite memory adjacent to the shinfo on the heap. Drop the skb and account a length error when the frag limit is reached, matching the fix applied in t7xx by commit f0813bcd2d9d ("net: wwan: t7xx: fix potential skb->frags overflow in RX path").
Title usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:12:15.268Z

Reserved: 2026-03-09T15:48:24.123Z

Link: CVE-2026-31616

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T15:16:40.870

Modified: 2026-04-28T17:21:15.470

Link: CVE-2026-31616

cve-icon Redhat

Severity :

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31616 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T23:45:16Z

Weaknesses