HIGH
hid BPF BufferOverflow
CVE-2026-31401
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: HID: bpf: prevent buffer overflow in hid_hw_request right now the returned value is considered to be always valid. However, when playing with HID-BPF, the return value can be arbitrary big, because it's the return value of dispatch_hid_bpf_raw_requests(), which calls the struct_ops and we have no guarantees that the value makes sense.
02KernelScan AI Analysis
Risk summary
Local attackers with BPF program loading privileges can cause buffer overflows in HID device handling, potentially leading to kernel memory corruption and privilege escalation. Systems running untrusted BPF programs or multi-tenant environments are at highest risk.
Vulnerability analysis
The vulnerability occurs in hid_bpf_hw_request() where the return value from dispatch_hid_bpf_raw_requests() is trusted without validation. Since this calls user-controlled BPF struct_ops programs, an attacker can return arbitrarily large values that exceed the destination buffer size in the subsequent memcpy(buf, dma_data, ret) operation. The fix adds a bounds check to clamp the return value to the buffer size, preventing out-of-bounds writes. This is locally exploitable by users who can load BPF programs (typically requiring CAP_BPF or CAP_SYS_ADMIN), and affects systems with HID devices where BPF programs can intercept hardware requests.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.78 | d6efaa50af62 |
| 6.18 | 6.18.20 | 73c5b5aea1c4 |
| 6.19 | 6.19.10 | eb57dae20fdf |
| mainline | 7.0 | 2b658c1c442e |