{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "b91cd1440870f7a0649e570498b7b93caf9f781c"
            },
            {
              "fixed": "3d7f7e0c842242878c24b2facff8d6eda23ee1e9"
            },
            {
              "fixed": "b5ec49fa198bd08967a3102bd41f53ccadce72c9"
            },
            {
              "fixed": "7424f0287da73d3d8c5fa5e9d25d26fce762708e"
            },
            {
              "fixed": "9ceff1251904901b0b4e5fe6350fcaffa368ce83"
            },
            {
              "fixed": "c9315ce9da3632c591666a29de82d3e92d46bec1"
            },
            {
              "fixed": "4e476c25bfcab0535ba7c76a903ae77ca8747711"
            },
            {
              "fixed": "bd44ce09b9b569f49ed13e2d87d23d853fc7d6a7"
            },
            {
              "fixed": "66f7471c4042e4eb300e30b5b9d87d1406862673"
            },
            {
              "fixed": "c088d5dd2fffb4de1fb8e7f57751c8b82942180a"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Linux",
        "name": "Kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.6.32"
            },
            {
              "fixed": "5.10.258"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "5.11.0"
            },
            {
              "fixed": "5.15.209"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "5.16.0"
            },
            {
              "fixed": "6.1.175"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.2.0"
            },
            {
              "fixed": "6.6.136"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.7.0"
            },
            {
              "fixed": "6.12.83"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.13.0"
            },
            {
              "fixed": "6.18.24"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.19.0"
            },
            {
              "fixed": "6.19.14"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.20.0"
            },
            {
              "fixed": "7.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31616.json"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()\n\nA broken/bored/mean USB host can overflow the skb_shared_info-\u003efrags[]\narray on a Linux gadget exposing a Phonet function by sending an\nunbounded sequence of full-page OUT transfers.\n\npn_rx_complete() finalizes the skb only when req-\u003eactual \u003c req-\u003elength,\nwhere req-\u003elength is set to PAGE_SIZE by the gadget.  If the host always\nsends exactly PAGE_SIZE bytes per transfer, fp-\u003erx.skb will never be\nreset and each completion will add another fragment via\nskb_add_rx_frag().  Once nr_frags exceeds MAX_SKB_FRAGS (default 17),\nsubsequent frag stores overwrite memory adjacent to the shinfo on the\nheap.\n\nDrop the skb and account a length error when the frag limit is reached,\nmatching the fix applied in t7xx by commit f0813bcd2d9d (\"net: wwan:\nt7xx: fix potential skb-\u003efrags overflow in RX path\").",
  "id": "CVE-2026-31616",
  "modified": "2026-07-08T05:37:01.903362475Z",
  "published": "2026-04-24T14:42:35.480Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3d7f7e0c842242878c24b2facff8d6eda23ee1e9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4e476c25bfcab0535ba7c76a903ae77ca8747711"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/66f7471c4042e4eb300e30b5b9d87d1406862673"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7424f0287da73d3d8c5fa5e9d25d26fce762708e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9ceff1251904901b0b4e5fe6350fcaffa368ce83"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b5ec49fa198bd08967a3102bd41f53ccadce72c9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bd44ce09b9b569f49ed13e2d87d23d853fc7d6a7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c088d5dd2fffb4de1fb8e7f57751c8b82942180a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c9315ce9da3632c591666a29de82d3e92d46bec1"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31616.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31616"
    },
    {
      "type": "PACKAGE",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"
    }
  ],
  "schema_version": "1.7.5",
  "summary": "usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()"
}