Security Vulnerability Report
中文
CVE-2026-31615 CVSS 5.5 MEDIUM

CVE-2026-31615

Published: 2026-04-24 15:16:41
Last Modified: 2026-04-28 17:29:26
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: renesas_usb3: validate endpoint index in standard request handlers The GET_STATUS and SET/CLEAR_FEATURE handlers extract the endpoint number from the host-supplied wIndex without any sort of validation. Fix this up by validating the number of endpoints actually match up with the number the device has before attempting to dereference a pointer based on this math. This is just like what was done in commit ee0d382feb44 ("usb: gadget: aspeed_udc: validate endpoint index for ast udc") for the aspeed driver.

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
Linux Kernel (Commit 1b2bfedccc4f 之前)
Linux Kernel (Commit 37f430b22406 之前)
Linux Kernel (Commit 44216e3dd445 之前)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
/* * PoC Concept: Sending a malicious USB Control Request * This requires a setup where the target acts as a USB Device * and the attacker acts as the Host (or triggers it locally). */ #include <linux/usb/ch9.h> #include <stdint.h> // Malicious control request structure struct usb_ctrlrequest malicious_req = { .bRequestType = USB_DIR_IN | USB_TYPE_STANDARD | USB_RECIP_ENDPOINT, .bRequest = USB_REQ_GET_STATUS, .wValue = 0, // Invalid endpoint index (e.g., 32) exceeding the array bounds .wIndex = 32, .wLength = 2 }; // Note: Exploitation typically requires a specific environment // where the Linux kernel is running the renesas_usb3 gadget driver. // Triggering this from a local context usually involves ioctl calls // to the gadget device or interacting with the configfs interface.

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-31615", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-04-24T15:16:40.767", "lastModified": "2026-04-28T17:29:26.373", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: renesas_usb3: validate endpoint index in standard request handlers\n\nThe GET_STATUS and SET/CLEAR_FEATURE handlers extract the endpoint\nnumber from the host-supplied wIndex without any sort of validation.\nFix this up by validating the number of endpoints actually match up with\nthe number the device has before attempting to dereference a pointer\nbased on this math.\n\nThis is just like what was done in commit ee0d382feb44 (\"usb: gadget:\naspeed_udc: validate endpoint index for ast udc\") for the aspeed driver."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.5", "versionEndExcluding": "6.6.136", "matchCriteriaId": "FCEFD340-4D12-4082-8086-2A113C4D3AAD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12", "versionEndExcluding": "6.12.83", "matchCriteriaId": "A8BAD957-8E20-401C-A129-DFF3655CA0B7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.24", "matchCriteriaId": "8126B8B8-6D0B-4443-86C1-672AEE893555"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.14", "matchCriteriaId": "D6A8A074-BBF4-4803-ABED-519A839435BB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0", "versionEndExcluding": "7.0.1", "matchCriteriaId": "9B5888AB-7403-4335-89E4-21CC0B48366A"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/1b2bfedccc4fb8c9572e1ea464f905424c91de2a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/37f430b2240655e6b0199a92aa1057e4d621be51", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/44216e3dd4455b798899b50eedb0ec3831dff8e0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/adb8014599fdf0818d3d93f1f74e06cd0bdec08d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/e3d42598f2995cdc07b7779874e7c5f8a1b773db", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/f880aac8a57ebd92abfa685d45424b2998ac1059", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.