CVE-2026-31616

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()<br /> <br /> A broken/bored/mean USB host can overflow the skb_shared_info-&gt;frags[]<br /> array on a Linux gadget exposing a Phonet function by sending an<br /> unbounded sequence of full-page OUT transfers.<br /> <br /> pn_rx_complete() finalizes the skb only when req-&gt;actual length,<br /> where req-&gt;length is set to PAGE_SIZE by the gadget. If the host always<br /> sends exactly PAGE_SIZE bytes per transfer, fp-&gt;rx.skb will never be<br /> reset and each completion will add another fragment via<br /> skb_add_rx_frag(). Once nr_frags exceeds MAX_SKB_FRAGS (default 17),<br /> subsequent frag stores overwrite memory adjacent to the shinfo on the<br /> heap.<br /> <br /> Drop the skb and account a length error when the frag limit is reached,<br /> matching the fix applied in t7xx by commit f0813bcd2d9d ("net: wwan:<br /> t7xx: fix potential skb-&gt;frags overflow in RX path").