Description

In the Linux kernel, the following vulnerability has been resolved: HID: core: clamp report_size in s32ton() to avoid undefined shift s32ton() shifts by n-1 where n is the field's report_size, a value that comes directly from a HID device. The HID parser bounds report_size only to <= 256, so a broken HID device can supply a report descriptor with a wide field that triggers shift exponents up to 256 on a 32-bit type when an output report is built via hid_output_field() or hid_set_field(). Commit ec61b41918587 ("HID: core: fix shift-out-of-bounds in hid_report_raw_event") added the same n > 32 clamp to the function snto32(), but s32ton() was never given the same fix as I guess syzbot hadn't figured out how to fuzz a device the same way. Fix this up by just clamping the max value of n, just like snto32() does.

INFO

Published Date :

2026-04-24T14:42:41.655Z

Last Modified :

2026-04-27T13:57:03.835Z

Source :

Linux
AFFECTED PRODUCTS

The following products are affected by CVE-2026-31624 vulnerability.

Vendors Products
Linux
  • Linux Kernel
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-31624.

URL Resource
https://git.kernel.org/stable/c/58386f00af710922cafb0fb69211497beddfaa95 cve-icon cve-icon
https://git.kernel.org/stable/c/8a8333237f1f5caab8d4c3d2c2e7578c4263a97f cve-icon cve-icon
https://git.kernel.org/stable/c/97014719bb8fccb1ffcbbc299e84b1f11b114195 cve-icon cve-icon
https://git.kernel.org/stable/c/ea363a34086ddb4231adc581a7f36c39ec154bfc cve-icon cve-icon
https://lore.kernel.org/linux-cve-announce/2026042426-CVE-2026-31624-e19a@gregkh/T cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-31624 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-31624 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact