HIGH
usb/gadget AudioControl Overflow
CVE-2026-31720
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI6.4MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_uac1_legacy: validate control request size f_audio_complete() copies req->length bytes into a 4-byte stack variable: u32 data = 0; memcpy(&data, req->buf, req->length); req->length is derived from the host-controlled USB request path, which can lead to a stack out-of-bounds write. Validate req->actual against the expected payload size for the supported control selectors and decode only the expected amount of data. This avoids copying a host-influenced length into a fixed-size stack object.
02KernelScan AI Analysis
Risk summary
A USB host can trigger a stack buffer overflow in USB audio gadget devices by sending oversized control requests. This allows an attacker with physical access to the device's USB port to achieve arbitrary code execution in kernel space, potentially leading to system compromise.
Vulnerability analysis
The vulnerability occurs in f_audio_complete() where req->length (controlled by the USB host) is used directly in memcpy() to copy data into a 4-byte stack variable. Since req->length can exceed 4 bytes, this creates a stack buffer overflow. The fix validates req->actual against expected payload sizes for different control selectors (UAC_FU_MUTE expects 1 byte, UAC_FU_VOLUME expects 2 bytes) and only copies the appropriate amount of data. Attack surface is physical access to USB ports, as the attacker must connect a malicious USB host device to the target's USB gadget interface.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.253 | 557d1d4e862e |
| 5.15 | 5.15.203 | 21b11e858128 |
| 6.1 | 6.1.168 | 0d41772d98dc |
| 6.12 | 6.12.81 | be2d32f0c3fe |
| 6.18 | 6.18.22 | 8e5eb1d6e6a3 |
| 6.19 | 6.19.12 | 26304d124e7f |
| 6.6 | 6.6.134 | c6da4fed7537 |
| mainline | 7.0 | 6e0e34d85cd4 |