CVE-2026-31624

MEDIUM EPSS 2.6%
Published Apr 24, 20262mo ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Apr 24, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: HID: core: clamp report_size in s32ton() to avoid undefined shift s32ton() shifts by n-1 where n is the field's report_size, a value that comes directly from a HID device. The HID parser bounds report_size only to <= 256, so a broken HID device can supply a report descriptor with a wide field that triggers shift exponents up to 256 on a 32-bit type when an output report is built via hid_output_field() or hid_set_field(). Commit ec61b41918587 ("HID: core: fix shift-out-of-bounds in hid_report_raw_event") added the same n > 32 clamp to the function snto32(), but s32ton() was never given the same fix as I guess syzbot hadn't figured out how to fuzz a device the same way. Fix this up by just clamping the max value of n, just like snto32() does.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
2.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 6

VendorProductVersionRange
linuxlinux_kernel*≥2.6.20.1  –  <6.6.136
linuxlinux_kernel*≥6.7  –  <6.12.83
linuxlinux_kernel*≥6.13  –  <6.18.24
linuxlinux_kernel*≥6.19  –  <6.19.14
linuxlinux_kernel*≥7.0  –  <7.0.1
linuxlinux_kernel2.6.20any

References 9

  • git.kernel.org https://git.kernel.org/stable/c/0ab048dbdb1daacf17d52e9252297eb6e1298e49
  • git.kernel.org https://git.kernel.org/stable/c/58386f00af710922cafb0fb69211497beddfaa95
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/69c02ffde6ed4d535fa4e693a9e572729cad3d0d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/76ad02854a30c394e0c076e6e6bed0a388573a94
  • git.kernel.org https://git.kernel.org/stable/c/8a8333237f1f5caab8d4c3d2c2e7578c4263a97f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/932ae5309e53561197aa7d1606c7cf63af10e24f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/97014719bb8fccb1ffcbbc299e84b1f11b114195
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ea363a34086ddb4231adc581a7f36c39ec154bfc
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/eb415ddaf25e09ddb8fe5736a70c9de2e6462534

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/58386f00af710922cafb0fb69211497beddfaa95
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/69c02ffde6ed4d535fa4e693a9e572729cad3d0d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8a8333237f1f5caab8d4c3d2c2e7578c4263a97f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/932ae5309e53561197aa7d1606c7cf63af10e24f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/97014719bb8fccb1ffcbbc299e84b1f11b114195
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ea363a34086ddb4231adc581a7f36c39ec154bfc
    Patch