CVE-2026-31520

Vulnerability

Description

A memory leak vulnerability exists in the Linux kernel's HID (Human Interface Device) subsystem, specifically in the Apple HID driver. The function apple_report_fixup() allocates a new buffer using kmemdup() but never frees it after use. The intended design of the report_fixup() callback is that it may return a pointer to a sub-portion of the input report descriptor (rdesc) whose lifetime is managed by the caller, not a newly allocated buffer. By returning the kmemdup-allocated memory, the driver creates an unreferenced allocation that cannot be freed, resulting in a memory leak [1][2][3][4].

Exploitation

An attacker with physical access to the system or the ability to plug in a malicious HID device that triggers the Apple HID driver's report fixup path can repeatedly trigger this leak. No authentication is required, as the attack relies on device enumeration at the hardware level. Each invocation of apple_report_fixup() leaks a small amount of memory, so the vulnerability must be triggered many times to cause noticeable impact [1][2].

Impact

Successful exploitation leads to gradual depletion of system memory (kernel memory exhaustion). Over time, this can cause system instability, denial of service (DoS), or even a system crash. The CVSSv3 score is 5.5 (Medium), reflecting the need for repeated interaction and the resulting denial-of-service impact [1][2][3][4].

Mitigation

The fix is included in the Linux kernel stable updates corresponding to commits referenced in [1], [2], [3], and [4]. The patch ensures that apple_report_fixup() no longer leaks memory by using the buffer correctly. Users should update their kernel to a version containing these commits to mitigate the vulnerability.