External risk intelligence

Linux USB/IP could allow an external attacker to crash the system.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-31607

The Linux kernel USB/IP component has a flaw that allows an external attacker to crash the system or gain unauthorized control. By directing a user to a malicious server, the attacker could trigger system failures and compromise sensitive business operations.

1Halo Surface Signal

Out-of-bounds Write

Linux Kernel

2.6.39 to before 6.6.1366.7 to before 6.12.836.13 to before 6.18.246.19 to before 6.19.147.0 to before 7.0.1

External exposure likelihood

Halo Surface Signal score for CVE-2026-31607

The vulnerability resides in the USB/IP client and is triggered only when the client actively connects to a malicious server. USB/IP is a specialized protocol typically used within isolated internal networks to share devices, not as a service exposed to the public internet. Due to its client-side nature and niche deployment, exposure to the public internet is not a characteristic of normal use.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in the Linux kernel's USB/IP subsystem allows a malicious server to cause a memory overwrite. When a USB/IP client receives a response from a server, a value indicating the number of packets can be manipulated to exceed the allocated buffer size. This can lead to instability and crashes.

  • Can affect systems using USB/IP.
  • A compromised server is required.
  • Causes potential system crashes.

Attack Path

How an attacker could exploit the issue

A malicious USB/IP server could exploit this by sending a crafted response to a client. This response would contain a larger number of packets than the client originally expected, leading to a heap buffer overflow on the client. This could allow an attacker to overwrite critical memory structures on the vulnerable client system.

  • Requires a malicious server.
  • Vulnerable client action: receiving RET_SUBMIT.
  • Server must control the client's network.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability offers an attacker control over a USB/IP server to potentially cause a heap out-of-bounds write on the client. While this can lead to serious impacts like crashes or code execution, it requires the client to connect to a malicious server. Therefore, exploitation is more likely in targeted scenarios rather than widespread automated attacks.

  • Requires client to connect to malicious server.
  • Niche use case limits broad appeal.
  • No publicly available exploit code observed.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching affected Linux kernels to mitigate heap out-of-bounds writes. If patching is delayed, focus on isolating systems that utilize the USB/IP client and monitoring for unusual USB/IP traffic, as a malicious server can exploit this vulnerability.

  • Apply Linux kernel patches.
  • Isolate USB/IP client systems.
  • Monitor USB/IP traffic.

Frequently asked questions

What is USB/IP in the Linux kernel?

USB/IP is a protocol that allows USB devices connected to one machine to be shared over a network, making them accessible to other machines as if they were locally connected. It is used for sharing physical USB devices across different computers, often in specialized environments rather than typical desktop use.

What kind of weakness does CVE-2026-31607 represent?

CVE-2026-31607 is a heap out-of-bounds write vulnerability. This occurs when a program attempts to write data beyond the memory buffer allocated on the heap, potentially corrupting adjacent memory and leading to system instability or crashes.

How is the CVE-2026-31607 vulnerability triggered?

This vulnerability is triggered when a USB/IP client receives a specific type of response (RET_SUBMIT) from a USB/IP server. If the server crafts this response with a larger `number_of_packets` value than the client initially expected, it can cause the client to write data outside its allocated memory buffer. Connecting to a legitimate server does not trigger the bug.

Who should be concerned about CVE-2026-31607?

Organizations using the Linux kernel and specifically employing the USB/IP client functionality should be concerned. The Halo Surface Signal indicates this is an external-facing vulnerability, meaning systems that might interact with untrusted USB/IP servers could be at risk.

What is the first step to address this Linux kernel vulnerability?

The primary step is to update the Linux kernel to a patched version. This resolves the underlying issue in how the USB/IP client handles incoming packet counts. If immediate patching is not possible, isolating systems that use the USB/IP client can help reduce exposure.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified