PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-31412 Linux CVE debrief

CVE-2026-31412 is a Linux kernel issue in the USB gadget mass-storage function (`f_mass_storage`). The vulnerable path calculates a command data size by left shifting `common->data_size_from_cmnd` by the logical block size without first checking for overflow. According to the published fix notes, a large SCSI READ or WRITE request can cause the shifted size to wrap, which may truncate boundary calculations and create a risk of memory corruption or out-of-bounds access. The issue was publicly published on 2026-04-10 and later updated by NVD on 2026-05-20 with stable-kernel patch references.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-10
Original CVE updated
2026-05-20
Advisory published
2026-04-10
Advisory updated
2026-05-20

Who should care

Linux kernel maintainers, distro security teams, embedded and appliance vendors shipping USB gadget functionality, and operators who rely on `f_mass_storage` on devices exposed to untrusted USB interactions.

Technical summary

NVD lists the weakness as CWE-190 (integer overflow) with CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The vulnerable function `check_command_size_in_blocks()` left-shifts `common->data_size_from_cmnd` by `common->curlun->blkbits` to derive a byte size, but the published description says the code did not validate whether the shift would overflow. The fix uses `check_shl_overflow()` to detect overflow before the shifted value is used. NVD also lists affected Linux kernel ranges ending before 6.1.167, 6.6.130, 6.12.78, 6.18.19, and 6.19.9, plus 7.0 release candidates through rc4.

Defensive priority

Medium. The issue is kernel-level, the impact can include availability loss and possible memory-safety consequences, but the CVSS score is 5.5 and the attack vector is scored as local in the NVD record. Prioritize remediation for systems that expose USB gadget mass-storage functionality.

Recommended defensive actions

  • Apply the vendor/stable kernel patches referenced by NVD for CVE-2026-31412.
  • Upgrade affected kernels to versions newer than the fixed ranges listed by NVD: 6.1.167, 6.6.130, 6.12.78, 6.18.19, and 6.19.9, or equivalent backported fixes.
  • If USB gadget mass-storage is not required, disable or remove `f_mass_storage` exposure on affected systems.
  • Review embedded, appliance, and test systems that can present a USB gadget interface to ensure the fix is backported and deployed consistently.
  • Verify that downstream kernel builds include the overflow check in `check_command_size_in_blocks()` and that the patch matches the linked stable commits.

Evidence notes

This debrief is based only on the supplied CVE/NVD corpus. The CVE was published at 2026-04-10T11:16:22.967Z and modified at 2026-05-20T15:54:46.070Z. NVD marks the record as analyzed, assigns CVSS 5.5/Medium, identifies CWE-190, and lists six stable-kernel patch references from git.kernel.org. The resource links and affected-version ranges come from the provided NVD metadata.

Official resources

Publicly disclosed in the CVE/NVD record on 2026-04-10, with NVD metadata last modified on 2026-05-20 and patch references added in the official record.