CVE-2026-31520 - Vulnerability Details

- HID: apple: avoid memory leak in apple_report_fixup()

Description

In the Linux kernel, the following vulnerability has been resolved:

HID: apple: avoid memory leak in apple_report_fixup()

The apple_report_fixup() function was returning a
newly kmemdup()-allocated buffer, but never freeing it.

The caller of report_fixup() does not take ownership of the returned
pointer, but it *is* permitted to return a sub-portion of the input
rdesc, whose lifetime is managed by the caller.

Published: 2026-04-22

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The apple_report_fixup() function in the Linux kernel allocates a new buffer with kmemdup() but never releases it, leading to a memory leak. This flaw is a classic example of improper memory deallocation (CWE‑401) and also improper resource management (CWE‑772), and can cause the kernel to gradually consume available memory, potentially resulting in a system-wide denial‑of‑service.

Affected Systems

All Linux kernel releases that contain the unmodified apple HID are affected, as the vulnerability exists in versions prior to the commit that introduced the fix. Users running a kernel with the legacy apple_report_fixup() implementation, regardless of distribution, are exposed.

Risk and Exploitability

The CVSS score of 5.5 indicates a medium severity. The EPSS score of less than 1% suggests a low probability of exploitation at the present time, and the vulnerability is not listed in CISA’s KEV catalog, pointing to limited known exploitation. However, based on the description, it is inferred that an attacker who can repeatedly trigger the Apple HID report processing—such as by connecting affected devices or via a compromised local user—could provoke the kernel to leak memory until resources are exhausted. The vulnerability does not provide code execution or privilege escalation; it primarily poses a risk of resource depletion.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`6e143293e17a73c9313f91c5ca3aaacbaef030cf`	affected	< e2f090aeb7b9930a964e151910f4d45b04c8a7e5
`6e143293e17a73c9313f91c5ca3aaacbaef030cf`	affected	< 2635d0c715f3fb177e0f80ecd5fa48feb6bf3884
`6e143293e17a73c9313f91c5ca3aaacbaef030cf`	affected	< 31860c3f7ac66ab897a8c90dc4e74fa17ca0b624
`6e143293e17a73c9313f91c5ca3aaacbaef030cf`	affected	< be1a341c161430282acdfe2ac99b413271575cf1
`6e143293e17a73c9313f91c5ca3aaacbaef030cf`	affected	< e652ebd29928181c3e6820e303da25873e9917d4
`6e143293e17a73c9313f91c5ca3aaacbaef030cf`	affected	< 239c15116d80f67d32f00acc34575f1a6b699613

Linux

affected

Version	Status	Constraints
`5.17`	affected	—
`0`	unaffected	< 5.17
`6.1.168`	unaffected	≤ 6.1.*
`6.6.131`	unaffected	≤ 6.6.*
`6.12.80`	unaffected	≤ 6.12.*
`6.18.21`	unaffected	≤ 6.18.*
`6.19.11`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,e2f090aeb7b9930a964e151910f4d45b04c8a7e5)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,2635d0c715f3fb177e0f80ecd5fa48feb6bf3884)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,31860c3f7ac66ab897a8c90dc4e74fa17ca0b624)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,be1a341c161430282acdfe2ac99b413271575cf1)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,e652ebd29928181c3e6820e303da25873e9917d4)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,239c15116d80f67d32f00acc34575f1a6b699613)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[6.1.168,6.2.0)`	unaffected	semver	—
`[6.6.131,6.7.0)`	unaffected	semver	—
`[6.12.80,6.13.0)`	unaffected	semver	—
`[6.18.21,6.19.0)`	unaffected	semver	—
`[6.19.11,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the kernel to a version that includes the apple_report_fixup() memory‑leak fix.
If a patch is not yet available, unload or blacklist the Apple HID driver to prevent the faulty routine from executing.
As a temporary precaution, block or disconnect Apple HID devices until the kernel is updated or the driver is removed.

Generated by OpenCVE AI on April 28, 2026 at 23:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4561-1	linux-6.1 security update
Debian DSA	DSA-6238-1	linux security update
Debian DSA	DSA-6243-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00015.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/239c15116d80f67d32f00acc34575f1a6b699613
https://git.kernel.org/stable/c/2635d0c715f3fb177e0f80ecd5fa48feb6bf3884
https://git.kernel.org/stable/c/31860c3f7ac66ab897a8c90dc4e74fa17ca0b624
https://git.kernel.org/stable/c/be1a341c161430282acdfe2ac99b413271575cf1
https://git.kernel.org/stable/c/e2f090aeb7b9930a964e151910f4d45b04c8a7e5
https://git.kernel.org/stable/c/e652ebd29928181c3e6820e303da25873e9917d4
https://lore.kernel.org/linux-cve-announce/2026042211-CVE-2026-31520-a81f@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31520
https://www.cve.org/CVERecord?id=CVE-2026-31520

History

Tue, 28 Apr 2026 18:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-401
CPEs		cpe:2.3:o:linux:linux_kernel:7.0:rc1:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::

Thu, 23 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-772
References		https://lore.kernel.org/linux-cve-announce/2026042211-CVE-2026-31520-a81f@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31520 https://www.cve.org/CVERecord?id=CVE-2026-31520
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Low`

Wed, 22 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: HID: apple: avoid memory leak in apple_report_fixup() The apple_report_fixup() function was returning a newly kmemdup()-allocated buffer, but never freeing it. The caller of report_fixup() does not take ownership of the returned pointer, but it is permitted to return a sub-portion of the input rdesc, whose lifetime is managed by the caller.
Title		HID: apple: avoid memory leak in apple_report_fixup()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/239c15116d80f67d32f00acc34575f1a6b699613 https://git.kernel.org/stable/c/2635d0c715f3fb177e0f80ecd5fa48feb6bf3884 https://git.kernel.org/stable/c/31860c3f7ac66ab897a8c90dc4e74fa17ca0b624 https://git.kernel.org/stable/c/be1a341c161430282acdfe2ac99b413271575cf1 https://git.kernel.org/stable/c/e2f090aeb7b9930a964e151910f4d45b04c8a7e5 https://git.kernel.org/stable/c/e652ebd29928181c3e6820e303da25873e9917d4

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-22T13:54:35.534Z

Updated: 2026-05-11T22:10:23.085Z

Reserved: 2026-03-09T15:48:24.108Z

Link: CVE-2026-31520

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-04-22T14:16:51.770

Modified: 2026-04-28T18:27:38.420

Link: CVE-2026-31520

Redhat

Severity : Low

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31520 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-29T00:00:13Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object