CVE-2026-31623 - Vulnerability Details

- net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()

Description

In the Linux kernel, the following vulnerability has been resolved:

net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()

A malicious USB device claiming to be a CDC Phonet modem can overflow
the skb_shared_info->frags[] array by sending an unbounded sequence of
full-page bulk transfers.

Drop the skb and increment the length error when the frag limit is
reached. This matches the same fix that commit f0813bcd2d9d ("net:
wwan: t7xx: fix potential skb->frags overflow in RX path") did for the
t7xx driver.

Published: 2026-04-24

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A malicious USB device masquerading as a CDC Phonet modem can send an unbounded sequence of full‑page bulk transfers, which causes an overflow of the skb_shared_info->frags array within the Linux kernel's CDC‑Phonet driver. The overflow can corrupt kernel memory, potentially allowing an attacker to execute arbitrary code with kernel privileges or to crash the system.

Affected Systems

The vulnerability affects all Linux kernel versions prior to the application of the fix contained in commit 600dc405 and related patches. All standard kernel distributions that include the cdc_phonet driver are impacted, regardless of edition, unless the module has been removed or the kernel has been updated to a version containing the fix.

Risk and Exploitability

The CVSS score of 5.5 indicates a medium impact, while the EPSS score of less than 1% suggests a low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a local attacker who can physically attach a malicious USB device to the target system. Because the flaw resides in kernel memory handling, successful exploitation could lead to privilege escalation or denial of service. The patch mitigates the overflow by dropping the skb and recording a length error when the fragment limit is reached, but systems running unpatched kernels remain at risk.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`87cf65601e1709e57f7e28f0f7b3eb0a992c1782`	affected	< d4e1946bea8d6441835eb3fd09b19237ba366a6f
`87cf65601e1709e57f7e28f0f7b3eb0a992c1782`	affected	< a23b1b1aaf41e174181d5853a70e65d4d01e648c
`87cf65601e1709e57f7e28f0f7b3eb0a992c1782`	affected	< c183d5775129a0a7495bd61a6e57ec230dcf01e5
`87cf65601e1709e57f7e28f0f7b3eb0a992c1782`	affected	< ebf75c6301c4972a87542ebf2d994c6391eb5d46
`87cf65601e1709e57f7e28f0f7b3eb0a992c1782`	affected	< 9989938d13cc5ba8447eeed5a61acfcf61bc6801
`87cf65601e1709e57f7e28f0f7b3eb0a992c1782`	affected	< 600dc40554dc5ad1e6f3af51f700228033f43ea7

Linux

affected

Version	Status	Constraints
`2.6.31`	affected	—
`0`	unaffected	< 2.6.31
`6.6.136`	unaffected	≤ 6.6.*
`6.12.83`	unaffected	≤ 6.12.*
`6.18.24`	unaffected	≤ 6.18.*
`6.19.14`	unaffected	≤ 6.19.*
`7.0.1`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[87cf65601e1709e57f7e28f0f7b3eb0a992c1782,d4e1946bea8d6441835eb3fd09b19237ba366a6f)`	affected	code_commit	—
`[87cf65601e1709e57f7e28f0f7b3eb0a992c1782,a23b1b1aaf41e174181d5853a70e65d4d01e648c)`	affected	code_commit	—
`[87cf65601e1709e57f7e28f0f7b3eb0a992c1782,c183d5775129a0a7495bd61a6e57ec230dcf01e5)`	affected	code_commit	—
`[87cf65601e1709e57f7e28f0f7b3eb0a992c1782,ebf75c6301c4972a87542ebf2d994c6391eb5d46)`	affected	code_commit	—
`[87cf65601e1709e57f7e28f0f7b3eb0a992c1782,9989938d13cc5ba8447eeed5a61acfcf61bc6801)`	affected	code_commit	—
`[87cf65601e1709e57f7e28f0f7b3eb0a992c1782,600dc40554dc5ad1e6f3af51f700228033f43ea7)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`2.6.31`	affected	semver	—
`[0,2.6.31)`	unaffected	semver	—
`[6.6.136,7.0.0)`	unaffected	semver	—
`[6.12.83,7.0.0)`	unaffected	semver	—
`[6.18.24,7.0.0)`	unaffected	semver	—
`[6.19.14,7.0.0)`	unaffected	semver	—
`[7.0.1,8.0.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the fix for commit 600dc405
If an upgrade is not immediately possible, unload the cdc_phonet module with "modprobe -r cdc_phonet" or blacklist it in modules.conf to prevent the driver from loading
Apply stricter USB device restrictions, such as limiting USB host controller access or blocking untrusted CDC‑Phonet devices with udev rules

Generated by OpenCVE AI on April 28, 2026 at 20:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6238-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00015.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/600dc40554dc5ad1e6f3af51f700228033f43ea7
https://git.kernel.org/stable/c/9989938d13cc5ba8447eeed5a61acfcf61bc6801
https://git.kernel.org/stable/c/a23b1b1aaf41e174181d5853a70e65d4d01e648c
https://git.kernel.org/stable/c/c183d5775129a0a7495bd61a6e57ec230dcf01e5
https://git.kernel.org/stable/c/d4e1946bea8d6441835eb3fd09b19237ba366a6f
https://git.kernel.org/stable/c/ebf75c6301c4972a87542ebf2d994c6391eb5d46
https://lore.kernel.org/linux-cve-announce/2026042426-CVE-2026-31623-64d8@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31623
https://www.cve.org/CVERecord?id=CVE-2026-31623

History

Tue, 28 Apr 2026 14:30:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Mon, 27 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/d4e1946bea8d6441835eb3fd09b19237ba366a6f

Mon, 27 Apr 2026 11:30:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/600dc40554dc5ad1e6f3af51f700228033f43ea7

Sat, 25 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-120
References		https://lore.kernel.org/linux-cve-announce/2026042426-CVE-2026-31623-64d8@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31623 https://www.cve.org/CVERecord?id=CVE-2026-31623
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Important`

Fri, 24 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete() A malicious USB device claiming to be a CDC Phonet modem can overflow the skb_shared_info->frags[] array by sending an unbounded sequence of full-page bulk transfers. Drop the skb and increment the length error when the frag limit is reached. This matches the same fix that commit f0813bcd2d9d ("net: wwan: t7xx: fix potential skb->frags overflow in RX path") did for the t7xx driver.
Title		net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/9989938d13cc5ba8447eeed5a61acfcf61bc6801 https://git.kernel.org/stable/c/a23b1b1aaf41e174181d5853a70e65d4d01e648c https://git.kernel.org/stable/c/c183d5775129a0a7495bd61a6e57ec230dcf01e5 https://git.kernel.org/stable/c/ebf75c6301c4972a87542ebf2d994c6391eb5d46

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-24T14:42:40.566Z

Updated: 2026-05-11T22:12:23.408Z

Reserved: 2026-03-09T15:48:24.124Z

Link: CVE-2026-31623

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-04-24T15:16:41.587

Modified: 2026-04-28T14:17:26.380

Link: CVE-2026-31623

Redhat

Severity : Important

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31623 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-28T20:15:26Z

Weaknesses

CWE-120

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object