Description
In the Linux kernel, the following vulnerability has been resolved:

HID: core: clamp report_size in s32ton() to avoid undefined shift

s32ton() shifts by n-1 where n is the field's report_size, a value that
comes directly from a HID device. The HID parser bounds report_size
only to <= 256, so a broken HID device can supply a report descriptor
with a wide field that triggers shift exponents up to 256 on a 32-bit
type when an output report is built via hid_output_field() or
hid_set_field().

Commit ec61b41918587 ("HID: core: fix shift-out-of-bounds in
hid_report_raw_event") added the same n > 32 clamp to the function
snto32(), but s32ton() was never given the same fix as I guess syzbot
hadn't figured out how to fuzz a device the same way.

Fix this up by just clamping the max value of n, just like snto32()
does.
Published: 2026-04-24
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

In the Linux kernel, the function s32ton() performs a left shift by (report_size‑1) where report_size comes directly from a HID device report descriptor. Because HID parsers limit report_size only to 256, a malicious device can supply a descriptor that causes a shift of 255 positions on a 32‑bit type. This results in an undefined shift operation, which can corrupt kernel memory or cause a crash. The vulnerability is classified as a shift‑overflow weakness (CWE‑1335) and can lead to a denial of service by causing a kernel panic when processing output reports for HID devices.

Affected Systems

All Linux kernel releases that include the Linux HID core before the removal of the unchecked shift in s32ton() are affected. Versions that do not contain the commit that clamps the shifting (currently present only in the kernel master as of commit ec61b41918587) can be impacted. The vulnerability affects the kernel's HID subsystem and therefore any system that accepts HID devices such as keyboards, mice, game controllers, or custom USB HID devices. Vendor identification is Linux for all affected builds.

Risk and Exploitability

The CVSS score of 5.5 indicates a moderate severity risk, but the EPSS score of <1% suggests that this bug is unlikely to be actively exploited in the wild. It is not listed in the CISA Known‑Exploited Vulnerabilities catalog. The vulnerability requires an attacker to supply a crafted HID report descriptor via a physical or virtual HID device, which typically limits exposure to environments with arbitrary device injection capabilities. Consequently, the risk is high for systems that run unpatched kernels and host unfiltered HID devices, but the practical exploitation window is narrow.

Generated by OpenCVE AI on April 28, 2026 at 20:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Linux kernel release that includes commit ec61b41918587 or later, which clamps the maximum shift in s32ton().
  • If an immediate kernel upgrade is not feasible, consider disabling or restricting HID device access for untrusted users, for example by applying udev rules to block unknown HID devices or by confining devices to a sandbox that prevents kernel corruption.
  • Monitor system logs and kernel panic records for signs of abnormal HID activity; ensure that reboot or crash reporting is enabled to detect potential exploitation attempts.

Generated by OpenCVE AI on April 28, 2026 at 20:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Tue, 28 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:2.6.20:-:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
References

Mon, 27 Apr 2026 11:30:00 +0000

Type Values Removed Values Added
References

Sat, 25 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1335
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 24 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: HID: core: clamp report_size in s32ton() to avoid undefined shift s32ton() shifts by n-1 where n is the field's report_size, a value that comes directly from a HID device. The HID parser bounds report_size only to <= 256, so a broken HID device can supply a report descriptor with a wide field that triggers shift exponents up to 256 on a 32-bit type when an output report is built via hid_output_field() or hid_set_field(). Commit ec61b41918587 ("HID: core: fix shift-out-of-bounds in hid_report_raw_event") added the same n > 32 clamp to the function snto32(), but s32ton() was never given the same fix as I guess syzbot hadn't figured out how to fuzz a device the same way. Fix this up by just clamping the max value of n, just like snto32() does.
Title HID: core: clamp report_size in s32ton() to avoid undefined shift
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:12:24.557Z

Reserved: 2026-03-09T15:48:24.124Z

Link: CVE-2026-31624

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T15:16:41.697

Modified: 2026-04-28T14:02:38.647

Link: CVE-2026-31624

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31624 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T20:15:26Z

Weaknesses