CVE-2026-31401

Vulnerability

The Linux kernel's HID subsystem, when using BPF (HID-BPF), contains a buffer overflow vulnerability in the hid_hw_request function. The issue arises because the return value from dispatch_hid_bpf_raw_requests() is assumed to always be valid, but when HID-BPF struct_ops are invoked, the returned value can be arbitrarily large, as it is user-controlled via BPF programs [1][2][4].

Exploitation

An attacker with the ability to load a HID-BPF program (typically requiring local access or a privileged position) can craft a BPF program that returns an enormous value from dispatch_hid_bpf_raw_requests(). This unchecked return value is then used in hid_hw_request without proper bounds validation, leading to a buffer overflow when copying data into a fixed-size buffer [3]. No special hardware is required beyond a kernel configured with CONFIG_HID_BPF.

Impact

Successful exploitation results in a kernel buffer overflow, which can corrupt adjacent memory, potentially leading to a system crash (denial of service) or, under controlled conditions, privilege escalation. The CVSS score of 7.8 reflects the high impact on confidentiality, integrity, and availability, due to the possibility of arbitrary code execution in kernel context.

Mitigation

The fix was applied in multiple stable kernel commits, including those referenced in the advisory [1][2][3][4]. Users should apply the latest kernel updates from their distribution to ensure the validation of the HID-BPF return value is enforced.