CVE-2026-31616 Overview
CVE-2026-31616 is a memory corruption vulnerability in the Linux kernel's USB gadget subsystem, specifically affecting the Phonet function driver (f_phonet). A malicious or compromised USB host can trigger a heap-based out-of-bounds write by sending an unbounded sequence of full-page OUT transfers to a Linux gadget device exposing the Phonet function. This overflow occurs in the skb_shared_info->frags[] array within the pn_rx_complete() function, potentially corrupting adjacent heap memory.
Critical Impact
A local attacker with physical access to a USB gadget device can cause a denial of service (system crash) by overwriting heap memory adjacent to the socket buffer's shared info structure. This could potentially be leveraged for more severe attacks depending on heap layout.
Affected Products
- Linux Kernel (multiple versions with USB gadget Phonet function support)
- Linux-based embedded devices exposing USB gadget functionality
- Systems configured with CONFIG_USB_GADGET and Phonet function enabled
Discovery Timeline
- 2026-04-24 - CVE CVE-2026-31616 published to NVD
- 2026-04-28 - Last updated in NVD database
Technical Details for CVE-2026-31616
Vulnerability Analysis
The vulnerability exists in the pn_rx_complete() function within the Linux kernel's USB gadget Phonet driver (drivers/usb/gadget/function/f_phonet.c). The function processes incoming USB OUT transfers and constructs socket buffers (skbs) by adding page fragments to the skb_shared_info->frags[] array using skb_add_rx_frag().
The core issue is that the function only finalizes and resets the skb when req->actual < req->length, where req->length is set to PAGE_SIZE. When a malicious USB host consistently sends exactly PAGE_SIZE bytes per transfer, the condition to finalize the skb is never met. This causes the fp->rx.skb to accumulate fragments indefinitely without being reset.
Once the nr_frags counter exceeds MAX_SKB_FRAGS (typically 17 on most systems), subsequent fragment additions will write beyond the bounds of the frags[] array, corrupting heap memory adjacent to the skb_shared_info structure.
Root Cause
The root cause is missing bounds checking on the number of fragments (nr_frags) before adding new fragments to the skb. The driver assumed that the USB protocol would naturally terminate transfers before reaching the fragment limit, but this assumption fails when a malicious host crafts transfers to exploit this behavior.
The fix implements a check to drop the skb and account for a length error when the fragment limit is reached, matching the approach used in commit f0813bcd2d9d for the t7xx WWAN driver which had a similar vulnerability in its RX path.
Attack Vector
The attack requires local access to the USB gadget device, typically through physical connection to the USB port. The attacker must act as a USB host connecting to a Linux device configured as a USB gadget with the Phonet function enabled.
The exploitation scenario involves a controlled USB host device sending a continuous stream of OUT transfers, each exactly PAGE_SIZE bytes in length. This prevents the normal skb finalization path from triggering, causing unbounded fragment accumulation until heap corruption occurs.
Since no verified exploit code is available, here is a prose description of the attack mechanism:
- Attacker connects a malicious USB host to a Linux gadget device exposing the Phonet function
- The host initiates OUT transfers to the Phonet endpoint
- Each transfer sends exactly PAGE_SIZE bytes (typically 4096 bytes)
- The gadget's pn_rx_complete() adds a fragment for each transfer but never finalizes the skb
- After 17+ consecutive full-page transfers, the frags[] array overflows
- Heap memory adjacent to skb_shared_info is corrupted, causing a crash or undefined behavior
Detection Methods for CVE-2026-31616
Indicators of Compromise
- Kernel panic or oops messages referencing pn_rx_complete or f_phonet module
- Unexpected system crashes on devices with USB gadget functionality enabled
- Heap corruption warnings or memory errors in kernel logs related to skb operations
- Unusual USB activity patterns showing repeated full-page transfers to Phonet endpoints
Detection Strategies
- Monitor kernel logs for crashes or memory corruption errors in USB gadget subsystem
- Deploy kernel auditing to track USB gadget function activity and anomalous transfer patterns
- Use SentinelOne's Singularity platform to detect exploitation attempts through behavioral analysis
- Implement USB device monitoring to identify potentially malicious host connections
Monitoring Recommendations
- Enable kernel logging for USB gadget events and monitor for abnormal transfer volumes
- Configure alerts for kernel memory corruption events or unexpected crashes on gadget-enabled systems
- Audit systems for unnecessary USB gadget configurations that could expose this attack surface
- Review connected USB devices periodically on embedded Linux systems with gadget support
How to Mitigate CVE-2026-31616
Immediate Actions Required
- Update the Linux kernel to a patched version containing the fix for this vulnerability
- Disable the USB Phonet gadget function if not required for system operation
- Restrict physical access to USB ports on vulnerable embedded devices
- Monitor systems for signs of exploitation while patching is in progress
Patch Information
The Linux kernel team has released patches across multiple stable branches to address this vulnerability. The fix adds a bounds check to drop the skb and account for a length error when the fragment limit (MAX_SKB_FRAGS) is reached.
Patches are available at the following commits:
- Linux Kernel Commit 4e476c2
- Linux Kernel Commit 66f7471
- Linux Kernel Commit 9ceff12
- Linux Kernel Commit bd44ce0
- Linux Kernel Commit c088d5d
- Linux Kernel Commit c9315ce
Workarounds
- Disable the Phonet USB gadget function by unloading the g_phonet or f_phonet kernel module
- Remove USB gadget controller driver modules if gadget functionality is not required
- Implement physical security controls to prevent unauthorized USB host connections
- Use USB port blockers or disable USB ports at the hardware level on sensitive systems
# Configuration example
# Disable Phonet USB gadget function
sudo modprobe -r usb_f_phonet
sudo modprobe -r g_phonet
# Blacklist the module to prevent automatic loading
echo "blacklist usb_f_phonet" | sudo tee /etc/modprobe.d/disable-phonet-gadget.conf
echo "blacklist g_phonet" | sudo tee -a /etc/modprobe.d/disable-phonet-gadget.conf
# Update initramfs to apply blacklist
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
