{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31401", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.086Z", "datePublished": "2026-04-03T15:16:04.903Z", "dateUpdated": "2026-04-03T15:16:04.903Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-03T15:16:04.903Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: bpf: prevent buffer overflow in hid_hw_request\n\nright now the returned value is considered to be always valid. However,\nwhen playing with HID-BPF, the return value can be arbitrary big,\nbecause it's the return value of dispatch_hid_bpf_raw_requests(), which\ncalls the struct_ops and we have no guarantees that the value makes\nsense."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/hid/bpf/hid_bpf_dispatch.c"], "versions": [{"version": "8bd0488b5ea58655ad6fdcbe0408ef49b16882b1", "lessThan": "d6efaa50af62fb0790dd1fd4e7e5506b46312510", "status": "affected", "versionType": "git"}, {"version": "8bd0488b5ea58655ad6fdcbe0408ef49b16882b1", "lessThan": "73c5b5aea1c443239c8cb4191b4af7a4bd6fd7b1", "status": "affected", "versionType": "git"}, {"version": "8bd0488b5ea58655ad6fdcbe0408ef49b16882b1", "lessThan": "eb57dae20fdf6f3069cdc07821fa3bb46de381d7", "status": "affected", "versionType": "git"}, {"version": "8bd0488b5ea58655ad6fdcbe0408ef49b16882b1", "lessThan": "2b658c1c442ec1cd9eec5ead98d68662c40fe645", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/hid/bpf/hid_bpf_dispatch.c"], "versions": [{"version": "6.11", "status": "affected"}, {"version": "0", "lessThan": "6.11", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc5", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "7.0-rc5"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/d6efaa50af62fb0790dd1fd4e7e5506b46312510"}, {"url": "https://git.kernel.org/stable/c/73c5b5aea1c443239c8cb4191b4af7a4bd6fd7b1"}, {"url": "https://git.kernel.org/stable/c/eb57dae20fdf6f3069cdc07821fa3bb46de381d7"}, {"url": "https://git.kernel.org/stable/c/2b658c1c442ec1cd9eec5ead98d68662c40fe645"}], "title": "HID: bpf: prevent buffer overflow in hid_hw_request", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: bpf: prevent buffer overflow in hid_hw_request\n\nright now the returned value is considered to be always valid. However,\nwhen playing with HID-BPF, the return value can be arbitrary big,\nbecause it's the return value of dispatch_hid_bpf_raw_requests(), which\ncalls the struct_ops and we have no guarantees that the value makes\nsense."}], "id": "CVE-2026-31401", "lastModified": "2026-04-03T16:16:39.140", "metrics": {}, "published": "2026-04-03T16:16:39.140", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2b658c1c442ec1cd9eec5ead98d68662c40fe645"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/73c5b5aea1c443239c8cb4191b4af7a4bd6fd7b1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d6efaa50af62fb0790dd1fd4e7e5506b46312510"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/eb57dae20fdf6f3069cdc07821fa3bb46de381d7"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{"bugzilla": {"description": "kernel: HID: bpf: prevent buffer overflow in hid_hw_request", "id": "2454818", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454818"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-131", "details": ["A flaw was found in the Linux kernel's Human Interface Device (HID) BPF (Berkeley Packet Filter) component. This vulnerability occurs in the `hid_hw_request` function, where an uncontrolled return value from `dispatch_hid_bpf_raw_requests()` can lead to a buffer overflow. This could allow a local attacker to cause memory corruption, potentially leading to a denial of service or information disclosure."], "name": "CVE-2026-31401", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31401\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31401\nhttps://lore.kernel.org/linux-cve-announce/2026040327-CVE-2026-31401-697d@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8bd0488b5ea58655ad6fdcbe0408ef49b16882b1,d6efaa50af62fb0790dd1fd4e7e5506b46312510)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8bd0488b5ea58655ad6fdcbe0408ef49b16882b1,73c5b5aea1c443239c8cb4191b4af7a4bd6fd7b1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8bd0488b5ea58655ad6fdcbe0408ef49b16882b1,eb57dae20fdf6f3069cdc07821fa3bb46de381d7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8bd0488b5ea58655ad6fdcbe0408ef49b16882b1,2b658c1c442ec1cd9eec5ead98d68662c40fe645)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.11"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.11)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.78,6.13.0]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.20,6.19.0]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.10,6.20.0]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0-rc5,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-03T19:21:58.219206+00:00", "value": {"mitigation_remediation": ["Apply the latest Linux kernel patch that fixes HID-BPF buffer overflow (see the provided git commits).", "If the patch cannot be applied immediately, disable HID-BPF support in the kernel configuration or remove unnecessary HID\u2011BPF modules."], "summary": {"action": "Patch", "impact": "Kernel buffer overflow leading to privilege escalation"}, "threat_synthesis": {"affected_systems": "The vulnerability impacts any Linux system running a kernel that includes the default HID-BPF driver. No specific kernel versions are listed, so all releases that have not yet applied the patch may be affected. Users should verify whether their kernel contains the commit that introduces this fix.", "description_and_impact": "A flaw in the Linux kernel\u2019s HID-BPF subsystem allows an attacker to send malformed HID requests that lead to a buffer overflow in the hid_hw_request function. The return value of dispatch_hid_bpf_raw_requests() is not validated, so an attacker can cause the kernel to copy an arbitrarily large amount of data into a fixed-size buffer. This corruption can compromise kernel memory integrity, enabling the execution of arbitrary code with kernel privileges. The weakness corresponds to an unchecked buffer write.", "risk_and_exploitability": "The severity is high because kernel memory corruption can lead to privilege escalation or system crashes. The CVSS score is not provided, but the EPSS score is unavailable and the vulnerability is not listed in the CISA KEV catalog. The attack vector is likely local to a hostile HID device or could be remote if the device is connected through a network\u2011accessible interface. In either case, an attacker that can influence HID traffic can exploit this code path."}}}}, "created": "2026-04-03T21:13:12.321081+00:00", "updated": "2026-04-03T21:15:25.703881+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}