CVE-2026-31624
Description
In the Linux kernel, the following vulnerability has been resolved:
HID: core: clamp report_size in s32ton() to avoid undefined shift
s32ton() shifts by n-1 where n is the field's report_size, a value that comes directly from a HID device. The HID parser bounds report_size only to <= 256, so a broken HID device can supply a report descriptor with a wide field that triggers shift exponents up to 256 on a 32-bit type when an output report is built via hid_output_field() or hid_set_field().
Commit ec61b41918587 ("HID: core: fix shift-out-of-bounds in hid_report_raw_event") added the same n > 32 clamp to the function snto32(), but s32ton() was never given the same fix as I guess syzbot hadn't figured out how to fuzz a device the same way.
Fix this up by just clamping the max value of n, just like snto32() does.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Linux kernel HID core's s32ton() function fails to clamp report_size before shifting, allowing a malicious HID device to trigger undefined behavior via an overly large report field.
Vulnerability
Description
The function s32ton() in the Linux kernel's HID core performs a shift operation using n-1, where n is the report_size value taken directly from a HID device's report descriptor. Although the HID parser bounds report_size to ≤ 256, this permits shift exponents up to 255 on a 32-bit integer, leading to undefined behavior (UB) when building an output report via hid_output_field() or hid_set_field() [1].
Exploitation
Path
An attacker who can connect or emulate a malicious HID device (e.g., via USB or Bluetooth) can craft a report descriptor with an abnormally wide field. No special privileges are required beyond the ability to interact with the HID subsystem. The vulnerable code path is triggered when kernel processes an output report, shifting by a large exponent that causes UB [1].
Impact
Exploiting this results in a medium-severity (CVSS 5.5) issue primarily constituting a denial-of-service (DoS) risk. Undefined behavior can lead to system crashes or memory corruption, although remote exploitation is unlikely device access is attacker's physical or local [1].
Mitigation
The fix clamps report_size to maximum of 32 bits before the shift, mirroring the same clamp already applied to similar function snto32() in commit ec61b41918587 [1]. The patch has been merged into stable kernel branches, and users should apply updates from their distribution's kernel packages.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- git.kernel.org/stable/c/58386f00af710922cafb0fb69211497beddfaa95nvdPatch
- git.kernel.org/stable/c/69c02ffde6ed4d535fa4e693a9e572729cad3d0dnvdPatch
- git.kernel.org/stable/c/8a8333237f1f5caab8d4c3d2c2e7578c4263a97fnvdPatch
- git.kernel.org/stable/c/932ae5309e53561197aa7d1606c7cf63af10e24fnvdPatch
- git.kernel.org/stable/c/97014719bb8fccb1ffcbbc299e84b1f11b114195nvdPatch
- git.kernel.org/stable/c/ea363a34086ddb4231adc581a7f36c39ec154bfcnvdPatch
News mentions
0No linked articles in our index yet.