{
  "public_date" : "2026-04-10T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks()",
    "id" : "2457276",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2457276"
  },
  "cwe" : "CWE-1335",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nusb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks()\nThe `check_command_size_in_blocks()` function calculates the data size\nin bytes by left shifting `common->data_size_from_cmnd` by the block\nsize (`common->curlun->blkbits`). However, it does not validate whether\nthis shift operation will cause an integer overflow.\nInitially, the block size is set up in `fsg_lun_open()` , and the\n`common->data_size_from_cmnd` is set up in `do_scsi_command()`. During\ninitialization, there is no integer overflow check for the interaction\nbetween two variables.\nSo if a malicious USB host sends a SCSI READ or WRITE command\nrequesting a large amount of data (`common->data_size_from_cmnd`), the\nleft shift operation can wrap around. This results in a truncated data\nsize, which can bypass boundary checks and potentially lead to memory\ncorruption or out-of-bounds accesses.\nFix this by using the check_shl_overflow() macro to safely perform the\nshift and catch any overflows.", "A flaw was found in the Linux kernel's USB mass storage gadget module (`usb-gadget-f_mass_storage`). A remote attacker, acting as a malicious USB host, could send a specially crafted SCSI READ or WRITE command. This action could trigger an integer overflow during data size calculation, leading to an incorrect size. This issue may bypass boundary checks, potentially resulting in memory corruption or out-of-bounds memory access." ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31412\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31412\nhttps://lore.kernel.org/linux-cve-announce/2026041044-CVE-2026-31412-bbc3@gregkh/T" ],
  "name" : "CVE-2026-31412",
  "csaw" : false
}