CVE-2026-31616

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A flaw exists in the USB gadget Phonet function where a USB host can cause an overflow of the skb shared info->frags[] array. This occurs when the host sends an unbounded sequence of full-page OUT transfers. The pn rx complete() function only finalizes the socket buffer (skb) when the actual length is less than the requested length. If the host consistently sends exactly PAGE SIZE bytes, the fp->rx.skb is never reset, and each completion adds a fragment via skb add rx frag(). Once the number of fragments exceeds MAX SKB FRAGS, memory adjacent to the shared information on the heap is overwritten.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.