Skip to content
CVSS 7.8 · HIGH

CVE-2026-31720

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_uac1_legacy: validate control request size f_audio_complete() copies req->length bytes into a 4-byte stack variable: u32 data = 0; memcpy(&data, req->buf, req->length); req->length is derived from the host-controlled USB request path, which can lead to a stack out-of-bounds write. Validate req->actual against the expected payload size for the supported control selectors and decode only the expected amount of data. This avoids copying a host-influenced length into a fixed-size stack object.

View on NVD

Analysis

The Linux kernel is foundational infrastructure. This specific vulnerability involves a stack-based buffer overflow in the USB gadget subsystem. While it requires the system to be acting as a USB peripheral, kernel-level memory corruption bugs are high-priority for any community running Linux-based systems.

Severity

Score: 7.8(HIGH)
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AV: LOCAL
AC: LOW
PR: LOW
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Weakness (CWE): CWE-787

EPSS

Probability of exploitation (next 30 days): 0.0002 (0.0%)
Percentile: 6.8%
EPSS: 2026-05-06

Affects

linux:linux_kernel

Technical description

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_uac1_legacy: validate control request size f_audio_complete() copies req->length bytes into a 4-byte stack variable: u32 data = 0; memcpy(&data, req->buf, req->length); req->length is derived from the host-controlled USB request path, which can lead to a stack out-of-bounds write. Validate req->actual against the expected payload size for the supported control selectors and decode only the expected amount of data. This avoids copying a host-influenced length into a fixed-size stack object.

Published: 5/1/2026, 3:16:34 PM
Last modified: 5/6/2026, 8:58:09 PM

References

HomeEventsBlogResourcesTeam