CVE-2026-31524
Description
In the Linux kernel, the following vulnerability has been resolved:
HID: asus: avoid memory leak in asus_report_fixup()
The asus_report_fixup() function was returning a newly allocated kmemdup()-allocated buffer, but never freeing it. Switch to devm_kzalloc() to ensure the memory is managed and freed automatically when the device is removed.
The caller of report_fixup() does not take ownership of the returned pointer, but it is permitted to return a pointer whose lifetime is at least that of the input buffer.
Also fix a harmless out-of-bounds read by copying only the original descriptor size.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A memory leak in the Linux kernel's HID-asus driver, where asus_report_fixup() allocated a buffer via kmemdup() but never freed it, is fixed by switching to devm_kzalloc().
Vulnerability
Analysis
The asus_report_fixup() function in the Linux kernel's HID-asus driver suffered from a memory leak. The function allocated a new buffer using kmemdup() but never freed it, as the caller of report_fixup() does not take ownership of the returned pointer. The fix switches to devm_kzalloc(), ensuring the memory is managed and automatically freed when the device is removed [1].
Exploitation and
Impact
An attacker with physical access to a system using an ASUS HID device could repeatedly trigger the allocation, leading to memory exhaustion over time. The vulnerability is classified as medium severity (CVSS 5.5) and requires local access to exploit. The impact is a denial of service due to memory leak, as the kernel's memory is consumed without being released [2].
Mitigation
The fix has been applied to the Linux kernel stable tree. Users should update to a kernel version containing the commit that resolves this CVE describes. No workaround is available other than applying the patch [3].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/2bad24c17742fc88973d6aea526ce1353f5334a3nvdPatch
- git.kernel.org/stable/c/2e4fe6b15c2f390c023b20d728b1a3fe7ea4f973nvdPatch
- git.kernel.org/stable/c/726765b43deb2b4723869d673cc5fc6f7a3b2059nvdPatch
- git.kernel.org/stable/c/7a6d6e4d8af044f94fa97e97af5ff2771e1fbebdnvdPatch
- git.kernel.org/stable/c/84724ac4821a160d47b84289adf139023027bdbbnvdPatch
- git.kernel.org/stable/c/a41cc7c1668e44ff2c2d36f9a6353253ffc43e3cnvdPatch
- git.kernel.org/stable/c/ede95cfcab8064d9a08813fbd7ed42cea8843dcfnvdPatch
- git.kernel.org/stable/c/f20f17cffbe34fb330267e0f8084f5565f807444nvdPatch
News mentions
0No linked articles in our index yet.