In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks() The `check_command_size_in_blocks()` function calculates the data size in bytes by left shifting `common->data_size_from_cmnd` by the block size (`common->curlun->blkbits`). However, it does not validate whether this shift operation will cause an integer overflow. Initially, the block size is set up in `fsg_lun_open()` , and the `common->data_size_from_cmnd` is set up in `do_scsi_command()`. During initialization, there is no integer overflow check for the interaction between two variables. So if a malicious USB host sends a SCSI READ or WRITE command requesting a large amount of data (`common->data_size_from_cmnd`), the left shift operation can wrap around. This results in a truncated data size, which can bypass boundary checks and potentially lead to memory corruption or out-of-bounds accesses. Fix this by using the check_shl_overflow() macro to safely perform the shift and catch any overflows.
| Vendor | Product | Versions |
|---|---|---|
| Linux | Linux | 144974e7f9e32b53b02f6c8632be45d8f43d6ab5, 144974e7f9e32b53b02f6c8632be45d8f43d6ab5, 144974e7f9e32b53b02f6c8632be45d8f43d6ab5, 144974e7f9e32b53b02f6c8632be45d8f43d6ab5, 144974e7f9e32b53b02f6c8632be45d8f43d6ab5, 144974e7f9e32b53b02f6c8632be45d8f43d6ab5, 3.3, 7.0-rc3 |
Downstream vendors/products affected by this vulnerability
| Vendor | Product | Source | Confidence |
|---|---|---|---|
| linux | linux | mitre_affected | 90% |
| open source | linux kernel | cert_advisory | 90% |
Updated description with new details, changed severity to CRITICAL, added affected version 7.0-rc3, and noted no exploit exists.
Updated severity to HIGH and marked the vulnerability as actively exploited with an exploit available.
Added CVE-2026-31412, updated description with more technical detail, and provided a list of patch URLs.
Initial creation
