CVE-2026-31401 - Vulnerability Details

- HID: bpf: prevent buffer overflow in hid_hw_request

Description

In the Linux kernel, the following vulnerability has been resolved:

HID: bpf: prevent buffer overflow in hid_hw_request

right now the returned value is considered to be always valid. However,
when playing with HID-BPF, the return value can be arbitrary big,
because it's the return value of dispatch_hid_bpf_raw_requests(), which
calls the struct_ops and we have no guarantees that the value makes
sense.

Published: 2026-04-03

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is in the Linux HID-BPF subsystem where the return value from dispatch_hid_bpf_raw_requests is treated as a buffer size in hid_hw_request without validation. Because the value can be arbitrarily large, the kernel may attempt to copy more data than a buffer can hold, causing a buffer overflow and potential memory corruption.

Affected Systems

The flaw affects the Linux kernel itself. Any kernel release that contains the vulnerable HID-BPF code path and has not yet applied the patch is considered exposed. The CVE data does not provide a precise version range, so any kernel version from the beginning of the HID-BPF implementation up to the fix should be regarded as at risk.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity. The EPSS score of less than 1 % points to a low probability of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog, showing no publicly known active exploits. The CVE record does not describe an attack vector or exploitation mechanism; the flaw appears to require that an attacker supplies a custom HID‑BPF program that is processed by the kernel, but this premise is not confirmed by the data.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`8bd0488b5ea58655ad6fdcbe0408ef49b16882b1`	affected	< d6efaa50af62fb0790dd1fd4e7e5506b46312510
`8bd0488b5ea58655ad6fdcbe0408ef49b16882b1`	affected	< 73c5b5aea1c443239c8cb4191b4af7a4bd6fd7b1
`8bd0488b5ea58655ad6fdcbe0408ef49b16882b1`	affected	< eb57dae20fdf6f3069cdc07821fa3bb46de381d7
`8bd0488b5ea58655ad6fdcbe0408ef49b16882b1`	affected	< 2b658c1c442ec1cd9eec5ead98d68662c40fe645

Linux

affected

Version	Status	Constraints
`6.11`	affected	—
`0`	unaffected	< 6.11
`6.12.78`	unaffected	≤ 6.12.*
`6.18.20`	unaffected	≤ 6.18.*
`6.19.10`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[8bd0488b5ea58655ad6fdcbe0408ef49b16882b1,d6efaa50af62fb0790dd1fd4e7e5506b46312510)`	affected	code_commit	—
`[8bd0488b5ea58655ad6fdcbe0408ef49b16882b1,73c5b5aea1c443239c8cb4191b4af7a4bd6fd7b1)`	affected	code_commit	—
`[8bd0488b5ea58655ad6fdcbe0408ef49b16882b1,eb57dae20fdf6f3069cdc07821fa3bb46de381d7)`	affected	code_commit	—
`[8bd0488b5ea58655ad6fdcbe0408ef49b16882b1,2b658c1c442ec1cd9eec5ead98d68662c40fe645)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.11`	affected	semver	—
`[0,6.11)`	unaffected	semver	—
`[6.12.78,6.13.0]`	unaffected	semver	—
`[6.18.20,6.19.0]`	unaffected	semver	—
`[6.19.10,6.20.0]`	unaffected	semver	—
`[7.0-rc5,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Linux kernel update that includes the HID-BPF fix.
If the patch cannot be applied immediately, disable HID‑BPF support or restrict access to the subsystem to prevent execution of untrusted BPF programs.
Monitor the system for abnormal HID traffic or kernel messages that could indicate an attempt to exploit the vulnerability.

Generated by OpenCVE AI on April 28, 2026 at 21:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/2b658c1c442ec1cd9eec5ead98d68662c40fe645
https://git.kernel.org/stable/c/73c5b5aea1c443239c8cb4191b4af7a4bd6fd7b1
https://git.kernel.org/stable/c/d6efaa50af62fb0790dd1fd4e7e5506b46312510
https://git.kernel.org/stable/c/eb57dae20fdf6f3069cdc07821fa3bb46de381d7
https://lore.kernel.org/linux-cve-announce/2026040327-CVE-2026-31401-697d@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31401
https://www.cve.org/CVERecord?id=CVE-2026-31401

History

Mon, 27 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Sat, 04 Apr 2026 01:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-131
References		https://lore.kernel.org/linux-cve-announce/2026040327-CVE-2026-31401-697d@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31401 https://www.cve.org/CVERecord?id=CVE-2026-31401
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Fri, 03 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: HID: bpf: prevent buffer overflow in hid_hw_request right now the returned value is considered to be always valid. However, when playing with HID-BPF, the return value can be arbitrary big, because it's the return value of dispatch_hid_bpf_raw_requests(), which calls the struct_ops and we have no guarantees that the value makes sense.
Title		HID: bpf: prevent buffer overflow in hid_hw_request
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/2b658c1c442ec1cd9eec5ead98d68662c40fe645 https://git.kernel.org/stable/c/73c5b5aea1c443239c8cb4191b4af7a4bd6fd7b1 https://git.kernel.org/stable/c/d6efaa50af62fb0790dd1fd4e7e5506b46312510 https://git.kernel.org/stable/c/eb57dae20fdf6f3069cdc07821fa3bb46de381d7

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-03T15:16:04.903Z

Updated: 2026-04-27T14:02:48.567Z

Reserved: 2026-03-09T15:48:24.086Z

Link: CVE-2026-31401

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-04-03T16:16:39.140

Modified: 2026-04-27T14:16:36.033

Link: CVE-2026-31401

Redhat

Severity : Moderate

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-31401 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-28T21:45:26Z

Weaknesses

CWE-131

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object