Description
In the Linux kernel, the following vulnerability has been resolved:

HID: bpf: prevent buffer overflow in hid_hw_request

right now the returned value is considered to be always valid. However,
when playing with HID-BPF, the return value can be arbitrary big,
because it's the return value of dispatch_hid_bpf_raw_requests(), which
calls the struct_ops and we have no guarantees that the value makes
sense.
Published: 2026-04-03
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Linux kernel HID-BPF subsystem, where the return value of dispatch_hid_bpf_raw_requests is used as a buffer size in hid_hw_request without validation. This oversight combines an integer-incorrect conversion (CWE-131) with a subsequent buffer overflow (CWE-787), allowing the kernel to attempt copying far more data than the buffer can contain. The result is memory corruption that could lead to kernel crashes or privilege escalation if an attacker can influence the value returned by that function.

Affected Systems

The flaw targets the Linux kernel itself, affecting all releases that contain the vulnerable HID-BPF code prior to the fix. The available CPE data references kernel versions 7.0‑rc1 through 7.0‑rc4, but the issue likely applies to any kernel version with the HID‑BPF implementation that has not yet been patched. System administrators should treat any such kernel revision as exposed until the patch is applied.

Risk and Exploitability

With a CVSS score of 7.8 the vulnerability is high severity, but its EPSS score of less than 1 % indicates a low probability of exploitation currently, and the vulnerability is not listed in the CISA KEV catalog. The CVE description suggests that exploiting the issue requires the attacker to supply a custom HID‑BPF program that the kernel will process. While the exact attack vector is not detailed in the advisory, it is inferred that writing a malicious BPF program and delivering it to a system that enables HID-BPF could trigger the overflow, potentially resulting in kernel memory corruption.

Generated by OpenCVE AI on May 20, 2026 at 13:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the HID-BPF fix.
  • If a kernel update cannot be applied immediately, disable HID-BPF support or restrict access so that only trusted programs can be loaded.
  • Continuously monitor kernel logs for abnormal HID traffic or messages that may indicate an attempted exploitation.

Generated by OpenCVE AI on May 20, 2026 at 13:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Wed, 20 May 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-131
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: HID: bpf: prevent buffer overflow in hid_hw_request right now the returned value is considered to be always valid. However, when playing with HID-BPF, the return value can be arbitrary big, because it's the return value of dispatch_hid_bpf_raw_requests(), which calls the struct_ops and we have no guarantees that the value makes sense.
Title HID: bpf: prevent buffer overflow in hid_hw_request
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:07:59.185Z

Reserved: 2026-03-09T15:48:24.086Z

Link: CVE-2026-31401

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T16:16:39.140

Modified: 2026-05-20T12:19:54.790

Link: CVE-2026-31401

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-31401 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T14:00:22Z

Weaknesses