CVE-2026-31617

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description An issue exists in the ncm unwrap ntb() function where the block len read from the host-supplied NTB header lacks a lower bound check. When block len is smaller than opts->ndp size, the bounds check ndp index > (block len - opts->ndp size) underflows, creating a large unsigned value that bypasses the check. A similar underflow occurs during datagram index checks against block len - opts->dpe size. This allows a malicious USB host to specify ndp index and datagram offsets that point beyond the actual transfer, leading the skb put data() function to copy adjacent kernel memory into the network skb.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.