CVE-2026-31401

HIGH

Linux - Out-of-bounds Write in HID-BPF Buffer Handling

Title source: llm

Description

In the Linux kernel, the following vulnerability has been resolved: HID: bpf: prevent buffer overflow in hid_hw_request right now the returned value is considered to be always valid. However, when playing with HID-BPF, the return value can be arbitrary big, because it's the return value of dispatch_hid_bpf_raw_requests(), which calls the struct_ops and we have no guarantees that the value makes sense.

References (4)

Core 4

Core References

https://git.kernel.org/stable/c/d6efaa50af62fb0790dd1fd4e7e5506b46312510

https://git.kernel.org/stable/c/73c5b5aea1c443239c8cb4191b4af7a4bd6fd7b1

https://git.kernel.org/stable/c/eb57dae20fdf6f3069cdc07821fa3bb46de381d7

https://git.kernel.org/stable/c/2b658c1c442ec1cd9eec5ead98d68662c40fe645

Scores

CVSS v3 7.8

EPSS 0.0001

EPSS Percentile 3.6%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-787

Status published

Products (13)

Linux/Linux < 6.11

Linux/Linux 6.11

Linux/Linux 6.12.78 - 6.12.*

Linux/Linux 6.18.20 - 6.18.*

Linux/Linux 6.19.10 - 6.19.*

Linux/Linux 7.0

Linux/Linux 7.0-rc5

Linux/Linux 8bd0488b5ea58655ad6fdcbe0408ef49b16882b1 - 2b658c1c442ec1cd9eec5ead98d68662c40fe645

Linux/Linux 8bd0488b5ea58655ad6fdcbe0408ef49b16882b1 - 73c5b5aea1c443239c8cb4191b4af7a4bd6fd7b1

Linux/Linux 8bd0488b5ea58655ad6fdcbe0408ef49b16882b1 - d6efaa50af62fb0790dd1fd4e7e5506b46312510

... and 3 more

Published Apr 03, 2026

Tracked Since Apr 03, 2026