Description
In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: f_uac1_legacy: validate control request size

f_audio_complete() copies req->length bytes into a 4-byte stack
variable:

u32 data = 0;
memcpy(&data, req->buf, req->length);

req->length is derived from the host-controlled USB request path,
which can lead to a stack out-of-bounds write.

Validate req->actual against the expected payload size for the
supported control selectors and decode only the expected amount
of data.

This avoids copying a host-influenced length into a fixed-size
stack object.
Published: 2026-05-01
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The bug arises when the f_audio_complete() routine copies a host‑controlled length value into a fixed‑size 4‑byte stack variable using memcpy. The req->length field is derived from the USB request sent by the host and is not bounded before the copy, leading to a stack out‑of‑bounds write that can corrupt kernel memory or crash the system. This flaw can be exploited by a malicious USB host to trigger arbitrary kernel memory corruption, potentially allowing privilege escalation or denial of service for users with local access.

Affected Systems

All Linux kernel builds that enable the f_uac1_legacy USB gadget driver are potentially impacted. The vulnerability is present in the kernel source regardless of distribution, and no specific version range is provided in the advisory. Systems running a kernel that still includes the unpatched f_uac1_legacy implementation may be exposed.

Risk and Exploitability

The exploitation likelihood is low according to the EPSS score of <1%, but the flaw still involves a stack buffer overflow that carries a high severity potential. The CVSS score of 7.8 reflects a high impact rating. An attacker would send a crafted control request from a USB host to the gadget device; the kernel, lacking size validation, copies the host‑provided length into a 4‑byte stack variable, allowing an out‑of‑bounds write that can corrupt kernel memory. The attack vector is via the USB host‑to‑device interface, and the vulnerability could enable kernel privilege escalation or denial of service should the overflow be successfully exploited.

Generated by OpenCVE AI on May 6, 2026 at 22:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply an updated Linux kernel version that incorporates the f_uac1_legacy control‑request size validation patch.
  • If an update is not feasible, disable or remove the f_uac1_legacy USB gadget driver from the kernel configuration to eliminate the vulnerable code.
  • Restrict USB gadget access by installing host‑side device isolation measures (e.g., USB gadgets disabled for untrusted hosts) to reduce exposure if the driver must remain enabled.

Generated by OpenCVE AI on May 6, 2026 at 22:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Wed, 06 May 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
References

Fri, 01 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_uac1_legacy: validate control request size f_audio_complete() copies req->length bytes into a 4-byte stack variable: u32 data = 0; memcpy(&data, req->buf, req->length); req->length is derived from the host-controlled USB request path, which can lead to a stack out-of-bounds write. Validate req->actual against the expected payload size for the supported control selectors and decode only the expected amount of data. This avoids copying a host-influenced length into a fixed-size stack object.
Title usb: gadget: f_uac1_legacy: validate control request size
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:14:27.286Z

Reserved: 2026-03-09T15:48:24.134Z

Link: CVE-2026-31720

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-01T15:16:34.360

Modified: 2026-05-06T20:58:09.417

Link: CVE-2026-31720

cve-icon Redhat

Severity :

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31720 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T22:45:13Z

Weaknesses