{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31401", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.086Z", "datePublished": "2026-04-03T15:16:04.903Z", "dateUpdated": "2026-05-11T22:07:59.185Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:07:59.185Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: bpf: prevent buffer overflow in hid_hw_request\n\nright now the returned value is considered to be always valid. However,\nwhen playing with HID-BPF, the return value can be arbitrary big,\nbecause it's the return value of dispatch_hid_bpf_raw_requests(), which\ncalls the struct_ops and we have no guarantees that the value makes\nsense."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/hid/bpf/hid_bpf_dispatch.c"], "versions": [{"version": "8bd0488b5ea58655ad6fdcbe0408ef49b16882b1", "lessThan": "d6efaa50af62fb0790dd1fd4e7e5506b46312510", "status": "affected", "versionType": "git"}, {"version": "8bd0488b5ea58655ad6fdcbe0408ef49b16882b1", "lessThan": "73c5b5aea1c443239c8cb4191b4af7a4bd6fd7b1", "status": "affected", "versionType": "git"}, {"version": "8bd0488b5ea58655ad6fdcbe0408ef49b16882b1", "lessThan": "eb57dae20fdf6f3069cdc07821fa3bb46de381d7", "status": "affected", "versionType": "git"}, {"version": "8bd0488b5ea58655ad6fdcbe0408ef49b16882b1", "lessThan": "2b658c1c442ec1cd9eec5ead98d68662c40fe645", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/hid/bpf/hid_bpf_dispatch.c"], "versions": [{"version": "6.11", "status": "affected"}, {"version": "0", "lessThan": "6.11", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/d6efaa50af62fb0790dd1fd4e7e5506b46312510"}, {"url": "https://git.kernel.org/stable/c/73c5b5aea1c443239c8cb4191b4af7a4bd6fd7b1"}, {"url": "https://git.kernel.org/stable/c/eb57dae20fdf6f3069cdc07821fa3bb46de381d7"}, {"url": "https://git.kernel.org/stable/c/2b658c1c442ec1cd9eec5ead98d68662c40fe645"}], "title": "HID: bpf: prevent buffer overflow in hid_hw_request", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: bpf: prevent buffer overflow in hid_hw_request\n\nright now the returned value is considered to be always valid. However,\nwhen playing with HID-BPF, the return value can be arbitrary big,\nbecause it's the return value of dispatch_hid_bpf_raw_requests(), which\ncalls the struct_ops and we have no guarantees that the value makes\nsense."}], "id": "CVE-2026-31401", "lastModified": "2026-04-27T14:16:36.033", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-04-03T16:16:39.140", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2b658c1c442ec1cd9eec5ead98d68662c40fe645"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/73c5b5aea1c443239c8cb4191b4af7a4bd6fd7b1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d6efaa50af62fb0790dd1fd4e7e5506b46312510"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/eb57dae20fdf6f3069cdc07821fa3bb46de381d7"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: HID: bpf: prevent buffer overflow in hid_hw_request", "id": "2454818", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454818"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-131", "details": ["A flaw was found in the Linux kernel's Human Interface Device (HID) BPF (Berkeley Packet Filter) component. This vulnerability occurs in the `hid_hw_request` function, where an uncontrolled return value from `dispatch_hid_bpf_raw_requests()` can lead to a buffer overflow. This could allow a local attacker to cause memory corruption, potentially leading to a denial of service or information disclosure."], "name": "CVE-2026-31401", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31401\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31401\nhttps://lore.kernel.org/linux-cve-announce/2026040327-CVE-2026-31401-697d@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8bd0488b5ea58655ad6fdcbe0408ef49b16882b1,d6efaa50af62fb0790dd1fd4e7e5506b46312510)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8bd0488b5ea58655ad6fdcbe0408ef49b16882b1,73c5b5aea1c443239c8cb4191b4af7a4bd6fd7b1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8bd0488b5ea58655ad6fdcbe0408ef49b16882b1,eb57dae20fdf6f3069cdc07821fa3bb46de381d7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[8bd0488b5ea58655ad6fdcbe0408ef49b16882b1,2b658c1c442ec1cd9eec5ead98d68662c40fe645)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.11"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.11)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.78,6.13.0]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.20,6.19.0]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.10,6.20.0]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0-rc5,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T21:44:57.858889+00:00", "value": {"mitigation_remediation": ["Apply the latest Linux kernel update that includes the HID-BPF fix.", "If the patch cannot be applied immediately, disable HID\u2011BPF support or restrict access to the subsystem to prevent execution of untrusted BPF programs.", "Monitor the system for abnormal HID traffic or kernel messages that could indicate an attempt to exploit the vulnerability."], "summary": {"action": "Patch Upgrade", "impact": "Kernel buffer overflow"}, "threat_synthesis": {"affected_systems": "The flaw affects the Linux kernel itself. Any kernel release that contains the vulnerable HID-BPF code path and has not yet applied the patch is considered exposed. The CVE data does not provide a precise version range, so any kernel version from the beginning of the HID-BPF implementation up to the fix should be regarded as at risk.", "description_and_impact": "The vulnerability is in the Linux HID-BPF subsystem where the return value from dispatch_hid_bpf_raw_requests is treated as a buffer size in hid_hw_request without validation. Because the value can be arbitrarily large, the kernel may attempt to copy more data than a buffer can hold, causing a buffer overflow and potential memory corruption.", "risk_and_exploitability": "The CVSS score of 7.8 indicates high severity. The EPSS score of less than 1\u00a0% points to a low probability of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog, showing no publicly known active exploits. The CVE record does not describe an attack vector or exploitation mechanism; the flaw appears to require that an attacker supplies a custom HID\u2011BPF program that is processed by the kernel, but this premise is not confirmed by the data."}}}}, "created": "2026-04-03T21:13:12.321081+00:00", "updated": "2026-04-28T21:45:26.154744+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}