CVE-2026-31412

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks()<br /> <br /> The `check_command_size_in_blocks()` function calculates the data size<br /> in bytes by left shifting `common-&gt;data_size_from_cmnd` by the block<br /> size (`common-&gt;curlun-&gt;blkbits`). However, it does not validate whether<br /> this shift operation will cause an integer overflow.<br /> <br /> Initially, the block size is set up in `fsg_lun_open()` , and the<br /> `common-&gt;data_size_from_cmnd` is set up in `do_scsi_command()`. During<br /> initialization, there is no integer overflow check for the interaction<br /> between two variables.<br /> <br /> So if a malicious USB host sends a SCSI READ or WRITE command<br /> requesting a large amount of data (`common-&gt;data_size_from_cmnd`), the<br /> left shift operation can wrap around. This results in a truncated data<br /> size, which can bypass boundary checks and potentially lead to memory<br /> corruption or out-of-bounds accesses.<br /> <br /> Fix this by using the check_shl_overflow() macro to safely perform the<br /> shift and catch any overflows.