Skip to main content

Linux Kernel CVE-2026-31624

| EUVDEUVD-2026-25517 MEDIUM
2026-04-24 Linux GHSA-7r46-pv4v-9gxj
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
Apr 28, 2026 - 14:07 vuln.today
CVSS changed
Apr 28, 2026 - 14:07 NVD
5.5 (MEDIUM)
Patch released
Apr 28, 2026 - 14:02 nvd
Patch available
Patch available
Apr 24, 2026 - 16:16 EUVD
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25517
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:42 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

HID: core: clamp report_size in s32ton() to avoid undefined shift

s32ton() shifts by n-1 where n is the field's report_size, a value that comes directly from a HID device. The HID parser bounds report_size only to <= 256, so a broken HID device can supply a report descriptor with a wide field that triggers shift exponents up to 256 on a 32-bit type when an output report is built via hid_output_field() or hid_set_field().

Commit ec61b41918587 ("HID: core: fix shift-out-of-bounds in hid_report_raw_event") added the same n > 32 clamp to the function snto32(), but s32ton() was never given the same fix as I guess syzbot hadn't figured out how to fuzz a device the same way.

Fix this up by just clamping the max value of n, just like snto32() does.

AnalysisAI

Shift-out-of-bounds vulnerability in Linux kernel HID core driver allows local authenticated attackers to cause denial of service via crafted HID device report descriptors with oversized fields that trigger undefined bit-shift operations in the s32ton() function. A malicious or malfunctioning HID device can supply a report_size value up to 256, causing shifts on 32-bit integers with exponents exceeding safe limits, crashing the kernel or triggering undefined behavior. CVSS 5.5 reflects local-only attack vector with low complexity and requirement for user/driver privileges to process HID output reports.

Technical ContextAI

The vulnerability exists in the Linux kernel's HID (Human Interface Device) core driver, specifically in the s32ton() function used to convert 32-bit signed integers to variable-width field values when building HID output reports. The HID parser validates report_size only to a maximum of 256 bytes, but s32ton() performs a bit shift of n-1 where n is the report_size without clamping for 32-bit integer overflow. When report_size > 33 on 32-bit systems (or exceeds the integer width), the shift operation becomes undefined behavior per C standards. The related function snto32() had been fixed previously via commit ec61b41918587 to clamp n > 32, but s32ton() lacked the same protection. This is a bounds-checking error (shift-out-of-bounds) triggered by untrusted HID descriptor data during hid_output_field() or hid_set_field() operations.

RemediationAI

Upgrade to patched Linux kernel versions: 6.12.83 or later, 6.18.24 or later, 6.19.14 or later, or 7.0.1 or later, depending on your baseline kernel series. Apply the fix by pulling the stable commits from kernel.org (referenced in git commit links). For systems unable to immediately upgrade, disable or restrict HID device hotplugging via BIOS/UEFI settings if USB insertion is not required, and audit kernel module loading permissions to prevent unprivileged users from loading malicious HID drivers. As a temporary workaround on systems with untrusted physical access, disable the HID subsystem entirely via kernel boot parameter hid=off if not needed, though this will disable all connected keyboards, mice, and gamepads. Verify kernel version post-patch with uname -r to confirm the fix is applied.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31624 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy