Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
Critical

Heap out-of-bounds write in Linux kernel usbip_pack_ret_submit()

IdentifiersCVE-2026-31607CWE-787· Out-of-bounds Write

CVE-2026-31607 is a Linux kernel USB/IP client-side memory corruption vulnerability in the handling of RET_SUBMIT responses for isochronous URBs. In usbip_pack_ret_submit(), the client unconditionally overwrites urb->number_of_packets with the number_of_packets value received from the network PDU. That field is later used as the loop bound in usbip_recv_iso() and usbip_pad_iso() to iterate over urb->iso_frame_desc[], a flexible array whose size was fixed when the URB was originally allocated based on the number_of_packets from the earlier CMD_SUBMIT request. A malicious USB/IP server can return a RET_SUBMIT response with number_of_packets larger than the original submitted value, causing usbip_recv_iso() to write past the end of urb->iso_frame_desc[] and trigger a heap out-of-bounds write. The issue was confirmed by KASAN on kernel 7.0.0-rc5 as a slab-out-of-bounds write in usbip_recv_iso(). The fix adds validation in usbip_pack_ret_submit() to ensure rpdu->number_of_packets does not exceed the original urb->number_of_packets before overwriting it; invalid values are clamped to zero so downstream receive/padding paths return safely.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a malicious USB/IP server to corrupt heap memory in kernel space on the client system. The immediate consequence is an out-of-bounds write into memory adjacent to urb->iso_frame_desc[], which can lead to kernel crashes or denial of service. Because the corruption occurs in kernel context and is attacker-influenced over the network protocol, the impact can potentially extend to broader kernel memory corruption and possible code execution, depending on target state and exploitability.

Mitigation

If you can’t patch tonight, do this now.

If patching is not immediately possible, reduce exposure by disabling or avoiding use of the USB/IP client functionality where feasible, and do not connect vulnerable clients to untrusted or unauthenticated USB/IP servers. Restrict network reachability to trusted USB/IP endpoints only, using segmentation and access controls to prevent malicious servers from delivering crafted RET_SUBMIT responses.

Remediation

Patch, then assume compromise.

Upgrade to a Linux kernel release containing the fix for CVE-2026-31607. The remediation is to validate rpdu->number_of_packets against the original urb->number_of_packets in usbip_pack_ret_submit() before updating the URB state, and to reject or clamp invalid values so usbip_recv_iso() and usbip_pad_iso() cannot iterate beyond the originally allocated iso_frame_desc[] bounds. Vendor kernel updates from SUSE, Red Hat, and downstream distributions include this fix.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
LinuxLinux Kerneloperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

6 SOURCESView more in app

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-31607
NVD
nvd.nist.gov/vuln/detail/CVE-2026-31607
MITRE CWE · CWE-787
Out-of-bounds Write
Patch
git.kernel.org/stable/c/2ab833a16a825373aad2ba7d54b572b277e95b71
Patch
git.kernel.org/stable/c/5e1c4ece08ccdc197177631f111845a2c68eede3
Patch
git.kernel.org/stable/c/885c8591784da6314f9aa82fa460ac69f9f79e5f
Patch
git.kernel.org/stable/c/8d155e2d1c4102f74f82a2bf9c016164bb0f7384
Patch
git.kernel.org/stable/c/906f16a836de13fe61f49cdce2f66f2dbd14caf4
Patch
git.kernel.org/stable/c/ef8ebb1c637b4cfb61a9dd2e013376774ee2033b
git.kernel.org
git.kernel.org/stable/c/324262c38438255bf6bdbf6342ca47c0badaab76
git.kernel.org
git.kernel.org/stable/c/973f2c250289f5bf6cc146b98aa6fdde11fe50d6
git.kernel.org
git.kernel.org/stable/c/ce744264b06b97069b3722511ab355738311fee0