{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31624", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.124Z", "datePublished": "2026-04-24T14:42:41.655Z", "dateUpdated": "2026-05-11T22:12:24.557Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:12:24.557Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: core: clamp report_size in s32ton() to avoid undefined shift\n\ns32ton() shifts by n-1 where n is the field's report_size, a value that\ncomes directly from a HID device. The HID parser bounds report_size\nonly to <= 256, so a broken HID device can supply a report descriptor\nwith a wide field that triggers shift exponents up to 256 on a 32-bit\ntype when an output report is built via hid_output_field() or\nhid_set_field().\n\nCommit ec61b41918587 (\"HID: core: fix shift-out-of-bounds in\nhid_report_raw_event\") added the same n > 32 clamp to the function\nsnto32(), but s32ton() was never given the same fix as I guess syzbot\nhadn't figured out how to fuzz a device the same way.\n\nFix this up by just clamping the max value of n, just like snto32()\ndoes."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/hid/hid-core.c"], "versions": [{"version": "dde5845a529ff753364a6d1aea61180946270bfa", "lessThan": "932ae5309e53561197aa7d1606c7cf63af10e24f", "status": "affected", "versionType": "git"}, {"version": "dde5845a529ff753364a6d1aea61180946270bfa", "lessThan": "58386f00af710922cafb0fb69211497beddfaa95", "status": "affected", "versionType": "git"}, {"version": "dde5845a529ff753364a6d1aea61180946270bfa", "lessThan": "8a8333237f1f5caab8d4c3d2c2e7578c4263a97f", "status": "affected", "versionType": "git"}, {"version": "dde5845a529ff753364a6d1aea61180946270bfa", "lessThan": "ea363a34086ddb4231adc581a7f36c39ec154bfc", "status": "affected", "versionType": "git"}, {"version": "dde5845a529ff753364a6d1aea61180946270bfa", "lessThan": "97014719bb8fccb1ffcbbc299e84b1f11b114195", "status": "affected", "versionType": "git"}, {"version": "dde5845a529ff753364a6d1aea61180946270bfa", "lessThan": "69c02ffde6ed4d535fa4e693a9e572729cad3d0d", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/hid/hid-core.c"], "versions": [{"version": "2.6.20", "status": "affected"}, {"version": "0", "lessThan": "2.6.20", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.136", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.83", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.24", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.14", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0.1", "lessThanOrEqual": "7.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.1-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.20", "versionEndExcluding": "6.6.136"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.20", "versionEndExcluding": "6.12.83"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.20", "versionEndExcluding": "6.18.24"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.20", "versionEndExcluding": "6.19.14"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.20", "versionEndExcluding": "7.0.1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.20", "versionEndExcluding": "7.1-rc1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/932ae5309e53561197aa7d1606c7cf63af10e24f"}, {"url": "https://git.kernel.org/stable/c/58386f00af710922cafb0fb69211497beddfaa95"}, {"url": "https://git.kernel.org/stable/c/8a8333237f1f5caab8d4c3d2c2e7578c4263a97f"}, {"url": "https://git.kernel.org/stable/c/ea363a34086ddb4231adc581a7f36c39ec154bfc"}, {"url": "https://git.kernel.org/stable/c/97014719bb8fccb1ffcbbc299e84b1f11b114195"}, {"url": "https://git.kernel.org/stable/c/69c02ffde6ed4d535fa4e693a9e572729cad3d0d"}], "title": "HID: core: clamp report_size in s32ton() to avoid undefined shift", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "098695E6-95CE-401B-AC16-CEBD793B4DF1", "versionEndExcluding": "6.6.136", "versionStartIncluding": "2.6.20.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8", "versionEndExcluding": "6.12.83", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8126B8B8-6D0B-4443-86C1-672AEE893555", "versionEndExcluding": "6.18.24", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D6A8A074-BBF4-4803-ABED-519A839435BB", "versionEndExcluding": "6.19.14", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "9B5888AB-7403-4335-89E4-21CC0B48366A", "versionEndExcluding": "7.0.1", "versionStartIncluding": "7.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:2.6.20:-:*:*:*:*:*:*", "matchCriteriaId": "5AE1560A-DECA-4BC6-87F6-F3F9ED544840", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: core: clamp report_size in s32ton() to avoid undefined shift\n\ns32ton() shifts by n-1 where n is the field's report_size, a value that\ncomes directly from a HID device. The HID parser bounds report_size\nonly to <= 256, so a broken HID device can supply a report descriptor\nwith a wide field that triggers shift exponents up to 256 on a 32-bit\ntype when an output report is built via hid_output_field() or\nhid_set_field().\n\nCommit ec61b41918587 (\"HID: core: fix shift-out-of-bounds in\nhid_report_raw_event\") added the same n > 32 clamp to the function\nsnto32(), but s32ton() was never given the same fix as I guess syzbot\nhadn't figured out how to fuzz a device the same way.\n\nFix this up by just clamping the max value of n, just like snto32()\ndoes."}], "id": "CVE-2026-31624", "lastModified": "2026-04-28T14:02:38.647", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-24T15:16:41.697", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/58386f00af710922cafb0fb69211497beddfaa95"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/69c02ffde6ed4d535fa4e693a9e572729cad3d0d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/8a8333237f1f5caab8d4c3d2c2e7578c4263a97f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/932ae5309e53561197aa7d1606c7cf63af10e24f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/97014719bb8fccb1ffcbbc299e84b1f11b114195"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ea363a34086ddb4231adc581a7f36c39ec154bfc"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: HID: core: clamp report_size in s32ton() to avoid undefined shift", "id": "2461477", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461477"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-1335", "details": ["A flaw was found in the Linux kernel's Human Interface Device (HID) core. A malicious or malformed HID device could provide a specially crafted report descriptor with an overly large `report_size` value. This could lead to an undefined shift operation within the `s32ton()` function when processing output reports. This vulnerability may result in system instability or a denial of service (DoS)."], "name": "CVE-2026-31624", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31624\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31624\nhttps://lore.kernel.org/linux-cve-announce/2026042426-CVE-2026-31624-e19a@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[dde5845a529ff753364a6d1aea61180946270bfa,932ae5309e53561197aa7d1606c7cf63af10e24f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[dde5845a529ff753364a6d1aea61180946270bfa,58386f00af710922cafb0fb69211497beddfaa95)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[dde5845a529ff753364a6d1aea61180946270bfa,8a8333237f1f5caab8d4c3d2c2e7578c4263a97f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[dde5845a529ff753364a6d1aea61180946270bfa,ea363a34086ddb4231adc581a7f36c39ec154bfc)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[dde5845a529ff753364a6d1aea61180946270bfa,97014719bb8fccb1ffcbbc299e84b1f11b114195)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[dde5845a529ff753364a6d1aea61180946270bfa,69c02ffde6ed4d535fa4e693a9e572729cad3d0d)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.6.20"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,2.6.20)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.136,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.83,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.24,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.14,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0.1,7.1.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.1-rc1,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T20:08:41.717734+00:00", "value": {"mitigation_remediation": ["Upgrade to a Linux kernel release that includes commit ec61b41918587 or later, which clamps the maximum shift in s32ton().", "If an immediate kernel upgrade is not feasible, consider disabling or restricting HID device access for untrusted users, for example by applying udev rules to block unknown HID devices or by confining devices to a sandbox that prevents kernel corruption.", "Monitor system logs and kernel panic records for signs of abnormal HID activity; ensure that reboot or crash reporting is enabled to detect potential exploitation attempts."], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "All Linux kernel releases that include the Linux HID core before the removal of the unchecked shift in s32ton() are affected. Versions that do not contain the commit that clamps the shifting (currently present only in the kernel master as of commit ec61b41918587) can be impacted. The vulnerability affects the kernel's HID subsystem and therefore any system that accepts HID devices such as keyboards, mice, game controllers, or custom USB HID devices. Vendor identification is Linux for all affected builds.", "description_and_impact": "In the Linux kernel, the function s32ton() performs a left shift by (report_size\u20111) where report_size comes directly from a HID device report descriptor. Because HID parsers limit report_size only to 256, a malicious device can supply a descriptor that causes a shift of 255 positions on a 32\u2011bit type. This results in an undefined shift operation, which can corrupt kernel memory or cause a crash. The vulnerability is classified as a shift\u2011overflow weakness (CWE\u20111335) and can lead to a denial of service by causing a kernel panic when processing output reports for HID devices.", "risk_and_exploitability": "The CVSS score of 5.5 indicates a moderate severity risk, but the EPSS score of <1% suggests that this bug is unlikely to be actively exploited in the wild. It is not listed in the CISA Known\u2011Exploited Vulnerabilities catalog. The vulnerability requires an attacker to supply a crafted HID report descriptor via a physical or virtual HID device, which typically limits exposure to environments with arbitrary device injection capabilities. Consequently, the risk is high for systems that run unpatched kernels and host unfiltered HID devices, but the practical exploitation window is narrow."}}}}, "created": "2026-04-27T18:45:11.328267+00:00", "updated": "2026-04-28T20:15:26.813553+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}