Description
In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()

The block_len read from the host-supplied NTB header is checked against
ntb_max but has no lower bound. When block_len is smaller than
opts->ndp_size, the bounds check of:
ndp_index > (block_len - opts->ndp_size)
will underflow producing a huge unsigned value that ndp_index can never
exceed, defeating the check entirely.

The same underflow occurs in the datagram index checks against block_len
- opts->dpe_size. With those checks neutered, a malicious USB host can
choose ndp_index and datagram offsets that point past the actual
transfer, and the skb_put_data() copies adjacent kernel memory into the
network skb.

Fix this by rejecting block lengths that cannot hold at least the NTB
header plus one NDP. This will make block_len - opts->ndp_size and
block_len - opts->dpe_size both well-defined.

Commit 8d2b1a1ec9f5 ("CDC-NCM: avoid overflow in sanity checking") fixed
a related class of issues on the host side of NCM.
Published: 2026-04-24
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Kernel memory corruption that can lead to privilege escalation or denial of service
Action: Patch immediately
AI Analysis

Impact

A numeric underflow in the USB NCM driver allows a hostile USB host to supply a block length that is smaller than the minimum required for a valid NTB header. This underflow corrupts bounds checks on NDP and datagram indices, enabling the driver to copy kernel memory into a network socket buffer. The resulting memory vulnerability can be abused to inject corrupted data into the kernel or to trigger a crash, giving an attacker the possibility to gain elevated privileges or to cause a denial of service.

Affected Systems

Any system running a Linux kernel with the USB gadget NCM driver is potentially affected. The vulnerability applies to all kernel versions prior to the defect‑fix commit and is not limited to a specific distribution; all vendors that ship unpatched kernels are at risk.

Risk and Exploitability

The CVSS score of 5.5 indicates a medium severity. The EPSS score of less than 1% implies that exploitation is unlikely in the wild, and the vulnerability is not listed in the CISA KEV catalog. The exploit requires a malicious USB host that can control the NTB header, which is a local and relatively easy vector to present to a device with USB gadget functionality. Because the flaw allows arbitrary kernel memory contamination, an attacker could potentially execute code at kernel privilege or cause a system crash if the driver is active on the target device.

Generated by OpenCVE AI on April 28, 2026 at 20:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes commit 8d2b1a1ec9f5, which validates the minimum block length in ncm_unwrap_ntb()
  • If a kernel update is not yet feasible, disable the NCM gadget function or unload the f_ncm module before accepting connections from untrusted USB hosts
  • Verify that the firmware uses a secure USB environment by restricting the USB gadget interfaces to trusted devices or by isolating the gadget subsystem in a virtualized container

Generated by OpenCVE AI on April 28, 2026 at 20:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Tue, 28 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
References

Mon, 27 Apr 2026 11:30:00 +0000

Type Values Removed Values Added
References

Sat, 25 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-191
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Fri, 24 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb() The block_len read from the host-supplied NTB header is checked against ntb_max but has no lower bound. When block_len is smaller than opts->ndp_size, the bounds check of: ndp_index > (block_len - opts->ndp_size) will underflow producing a huge unsigned value that ndp_index can never exceed, defeating the check entirely. The same underflow occurs in the datagram index checks against block_len - opts->dpe_size. With those checks neutered, a malicious USB host can choose ndp_index and datagram offsets that point past the actual transfer, and the skb_put_data() copies adjacent kernel memory into the network skb. Fix this by rejecting block lengths that cannot hold at least the NTB header plus one NDP. This will make block_len - opts->ndp_size and block_len - opts->dpe_size both well-defined. Commit 8d2b1a1ec9f5 ("CDC-NCM: avoid overflow in sanity checking") fixed a related class of issues on the host side of NCM.
Title usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:12:16.395Z

Reserved: 2026-03-09T15:48:24.123Z

Link: CVE-2026-31617

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T15:16:40.973

Modified: 2026-04-28T17:27:20.347

Link: CVE-2026-31617

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31617 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T20:15:26Z

Weaknesses