Linux Kernel f_mass_storage Integer Overflow in check_command_size_in_blocks
CVE-2026-31412 Published on April 10, 2026

usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks()
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks() The `check_command_size_in_blocks()` function calculates the data size in bytes by left shifting `common->data_size_from_cmnd` by the block size (`common->curlun->blkbits`). However, it does not validate whether this shift operation will cause an integer overflow. Initially, the block size is set up in `fsg_lun_open()` , and the `common->data_size_from_cmnd` is set up in `do_scsi_command()`. During initialization, there is no integer overflow check for the interaction between two variables. So if a malicious USB host sends a SCSI READ or WRITE command requesting a large amount of data (`common->data_size_from_cmnd`), the left shift operation can wrap around. This results in a truncated data size, which can bypass boundary checks and potentially lead to memory corruption or out-of-bounds accesses. Fix this by using the check_shl_overflow() macro to safely perform the shift and catch any overflows.

NVD


Products Associated with CVE-2026-31412

Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.

Linux Kernel
 

Affected Versions

Linux: Linux: