Description
In the Linux kernel, the following vulnerability has been resolved:

HID: bpf: prevent buffer overflow in hid_hw_request

right now the returned value is considered to be always valid. However,
when playing with HID-BPF, the return value can be arbitrary big,
because it's the return value of dispatch_hid_bpf_raw_requests(), which
calls the struct_ops and we have no guarantees that the value makes
sense.
Published: 2026-04-03
Score: 7.0 High
EPSS: n/a
KEV: No
Impact: Kernel buffer overflow leading to privilege escalation
Action: Patch
AI Analysis

Impact

A flaw in the Linux kernel’s HID-BPF subsystem allows an attacker to send malformed HID requests that lead to a buffer overflow in the hid_hw_request function. The return value of dispatch_hid_bpf_raw_requests() is not validated, so an attacker can cause the kernel to copy an arbitrarily large amount of data into a fixed-size buffer. This corruption can compromise kernel memory integrity, enabling the execution of arbitrary code with kernel privileges. The weakness corresponds to an unchecked buffer write.

Affected Systems

The vulnerability impacts any Linux system running a kernel that includes the default HID-BPF driver. No specific kernel versions are listed, so all releases that have not yet applied the patch may be affected. Users should verify whether their kernel contains the commit that introduces this fix.

Risk and Exploitability

The severity is high because kernel memory corruption can lead to privilege escalation or system crashes. The CVSS score is not provided, but the EPSS score is unavailable and the vulnerability is not listed in the CISA KEV catalog. The attack vector is likely local to a hostile HID device or could be remote if the device is connected through a network‑accessible interface. In either case, an attacker that can influence HID traffic can exploit this code path.

Generated by OpenCVE AI on April 3, 2026 at 19:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel patch that fixes HID-BPF buffer overflow (see the provided git commits).
  • If the patch cannot be applied immediately, disable HID-BPF support in the kernel configuration or remove unnecessary HID‑BPF modules.

Generated by OpenCVE AI on April 3, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-131
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: HID: bpf: prevent buffer overflow in hid_hw_request right now the returned value is considered to be always valid. However, when playing with HID-BPF, the return value can be arbitrary big, because it's the return value of dispatch_hid_bpf_raw_requests(), which calls the struct_ops and we have no guarantees that the value makes sense.
Title HID: bpf: prevent buffer overflow in hid_hw_request
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-03T15:16:04.903Z

Reserved: 2026-03-09T15:48:24.086Z

Link: CVE-2026-31401

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-03T16:16:39.140

Modified: 2026-04-03T16:16:39.140

Link: CVE-2026-31401

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-31401 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T21:15:25Z

Weaknesses