CVE-2026-31720 - Vulnerability Details

- usb: gadget: f_uac1_legacy: validate control request size

Description

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: f_uac1_legacy: validate control request size

f_audio_complete() copies req->length bytes into a 4-byte stack
variable:

u32 data = 0;
memcpy(&data, req->buf, req->length);

req->length is derived from the host-controlled USB request path,
which can lead to a stack out-of-bounds write.

Validate req->actual against the expected payload size for the
supported control selectors and decode only the expected amount
of data.

This avoids copying a host-influenced length into a fixed-size
stack object.

Published: 2026-05-01

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The bug arises when the f_audio_complete() routine copies a host‑controlled length value into a fixed‑size 4‑byte stack variable using memcpy. The req->length field is derived from the USB request sent by the host and is not bounded before the copy, leading to a stack out‑of‑bounds write that can corrupt kernel memory or crash the system. This flaw can be exploited by a malicious USB host to trigger arbitrary kernel memory corruption, potentially allowing privilege escalation or denial of service for users with local access.

Affected Systems

All Linux kernel builds that enable the f_uac1_legacy USB gadget driver are potentially impacted. The vulnerability is present in the kernel source regardless of distribution, and no specific version range is provided in the advisory. Systems running a kernel that still includes the unpatched f_uac1_legacy implementation may be exposed.

Risk and Exploitability

The exploitation likelihood is not quantified in the advisory (EPSS not available; KEV not listed), but the flaw involves a stack buffer overflow which historically carries a high exploitation risk. The attack path would involve a USB host sending a crafted control request to the gadget device, which the kernel would process without validating the payload size. Based on the description, the attack vector is a host‑to‑device USB interface. While no CVSS score is given, the nature of the vulnerability suggests it could lead to kernel privilege escalation if successfully exploited.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`c6994e6f067cf0fc4c6cca3d164018b1150916f8`	affected	< 557d1d4e862eccd0b74cc377b66de3e1e8d49605
`c6994e6f067cf0fc4c6cca3d164018b1150916f8`	affected	< 21b11e8581285c6f10ef43d05df349d445f24273
`c6994e6f067cf0fc4c6cca3d164018b1150916f8`	affected	< 0d41772d98dcaf6c17e875b7d0ea0154ae1191ee
`c6994e6f067cf0fc4c6cca3d164018b1150916f8`	affected	< c6da4fed7537aec19880c24f6c3a95065adb1406
`c6994e6f067cf0fc4c6cca3d164018b1150916f8`	affected	< be2d32f0c3fe333d14c0a9ca90328dacbc3e06b8
`c6994e6f067cf0fc4c6cca3d164018b1150916f8`	affected	< 8e5eb1d6e6a3d7bbea9c92132d0cda5793176426
`c6994e6f067cf0fc4c6cca3d164018b1150916f8`	affected	< 26304d124e7f0383f8fe1168b5801a0ac7e16b1c
`c6994e6f067cf0fc4c6cca3d164018b1150916f8`	affected	< 6e0e34d85cd46ceb37d16054e97a373a32770f6c

Linux

affected

Version	Status	Constraints
`2.6.31`	affected	—
`0`	unaffected	< 2.6.31
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.168`	unaffected	≤ 6.1.*
`6.6.134`	unaffected	≤ 6.6.*
`6.12.81`	unaffected	≤ 6.12.*
`6.18.22`	unaffected	≤ 6.18.*
`6.19.12`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,557d1d4e862eccd0b74cc377b66de3e1e8d49605)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,21b11e8581285c6f10ef43d05df349d445f24273)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,0d41772d98dcaf6c17e875b7d0ea0154ae1191ee)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,c6da4fed7537aec19880c24f6c3a95065adb1406)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,be2d32f0c3fe333d14c0a9ca90328dacbc3e06b8)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,8e5eb1d6e6a3d7bbea9c92132d0cda5793176426)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,26304d124e7f0383f8fe1168b5801a0ac7e16b1c)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,6e0e34d85cd46ceb37d16054e97a373a32770f6c)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[0,5.11.0)`	unaffected	semver	—
`[0,5.16.0)`	unaffected	semver	—
`[0,6.2.0)`	unaffected	semver	—
`[0,6.7.0)`	unaffected	semver	—
`[0,6.13.0)`	unaffected	semver	—
`[0,6.19.0)`	unaffected	semver	—
`[0,6.20.0)`	unaffected	semver	—
`[0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply an updated Linux kernel version that incorporates the f_uac1_legacy control‑request size validation patch.
If an update is not feasible, disable or remove the f_uac1_legacy USB gadget driver from the kernel configuration to eliminate the vulnerable code.
Restrict USB gadget access by installing host‑side device isolation measures (e.g., USB gadgets disabled for untrusted hosts) to reduce exposure if the driver must remain enabled.

Generated by OpenCVE AI on May 2, 2026 at 10:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4561-1	linux-6.1 security update
Debian DSA	DSA-6243-1	linux security update

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00024.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0d41772d98dcaf6c17e875b7d0ea0154ae1191ee
https://git.kernel.org/stable/c/21b11e8581285c6f10ef43d05df349d445f24273
https://git.kernel.org/stable/c/26304d124e7f0383f8fe1168b5801a0ac7e16b1c
https://git.kernel.org/stable/c/557d1d4e862eccd0b74cc377b66de3e1e8d49605
https://git.kernel.org/stable/c/6e0e34d85cd46ceb37d16054e97a373a32770f6c
https://git.kernel.org/stable/c/8e5eb1d6e6a3d7bbea9c92132d0cda5793176426
https://git.kernel.org/stable/c/be2d32f0c3fe333d14c0a9ca90328dacbc3e06b8
https://git.kernel.org/stable/c/c6da4fed7537aec19880c24f6c3a95065adb1406
https://lore.kernel.org/linux-cve-announce/2026050131-CVE-2026-31720-3b60@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31720
https://www.cve.org/CVERecord?id=CVE-2026-31720

History

Sat, 02 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-787
References		https://lore.kernel.org/linux-cve-announce/2026050131-CVE-2026-31720-3b60@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31720 https://www.cve.org/CVERecord?id=CVE-2026-31720

Fri, 01 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_uac1_legacy: validate control request size f_audio_complete() copies req->length bytes into a 4-byte stack variable: u32 data = 0; memcpy(&data, req->buf, req->length); req->length is derived from the host-controlled USB request path, which can lead to a stack out-of-bounds write. Validate req->actual against the expected payload size for the supported control selectors and decode only the expected amount of data. This avoids copying a host-influenced length into a fixed-size stack object.
Title		usb: gadget: f_uac1_legacy: validate control request size
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0d41772d98dcaf6c17e875b7d0ea0154ae1191ee https://git.kernel.org/stable/c/21b11e8581285c6f10ef43d05df349d445f24273 https://git.kernel.org/stable/c/26304d124e7f0383f8fe1168b5801a0ac7e16b1c https://git.kernel.org/stable/c/557d1d4e862eccd0b74cc377b66de3e1e8d49605 https://git.kernel.org/stable/c/6e0e34d85cd46ceb37d16054e97a373a32770f6c https://git.kernel.org/stable/c/8e5eb1d6e6a3d7bbea9c92132d0cda5793176426 https://git.kernel.org/stable/c/be2d32f0c3fe333d14c0a9ca90328dacbc3e06b8 https://git.kernel.org/stable/c/c6da4fed7537aec19880c24f6c3a95065adb1406

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-01T14:14:22.832Z

Updated: 2026-05-02T06:14:21.352Z

Reserved: 2026-03-09T15:48:24.134Z

Link: CVE-2026-31720

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-01T15:16:34.360

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-31720

Redhat

Severity :

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31720 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-02T10:45:40Z

Weaknesses

CWE-787

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object