Skip to content
CVSS 7.8 · HIGH

CVE-2026-31720

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_uac1_legacy: validate control request size f_audio_complete() copies req->length bytes into a 4-byte stack variable: u32 data = 0; memcpy(&data, req->buf, req->length); req->length is derived from the host-controlled USB request path, which can lead to a stack out-of-bounds write. Validate req->actual against the expected payload size for the supported control selectors and decode only the expected amount of data. This avoids copying a host-influenced length into a fixed-size stack object.

Ver en NVD

Análisis

The Linux kernel is foundational infrastructure. This specific vulnerability involves a stack-based buffer overflow in the USB gadget subsystem. While it requires the system to be acting as a USB peripheral, kernel-level memory corruption bugs are high-priority for any community running Linux-based systems.

Severidad

Puntaje: 7.8(HIGH)
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AV: LOCAL
AC: LOW
PR: LOW
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Tipo de falla (CWE): CWE-787

EPSS

Probabilidad de explotación (próx. 30 días): 0.0002 (0.0%)
Percentil: 6.8%
EPSS: 2026-05-06

Afecta

linux:linux_kernel

Descripción técnica

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_uac1_legacy: validate control request size f_audio_complete() copies req->length bytes into a 4-byte stack variable: u32 data = 0; memcpy(&data, req->buf, req->length); req->length is derived from the host-controlled USB request path, which can lead to a stack out-of-bounds write. Validate req->actual against the expected payload size for the supported control selectors and decode only the expected amount of data. This avoids copying a host-influenced length into a fixed-size stack object.

Publicada: 1/5/2026, 15:16:34
Última modificación: 6/5/2026, 20:58:09

Referencias

InicioEventosBlogRecursosEquipo