CVE-2026-31520 Overview
CVE-2026-31520 is a memory leak vulnerability [CWE-401] in the Linux kernel's HID (Human Interface Device) subsystem, specifically within the Apple driver's apple_report_fixup() function. The function allocated a buffer using kmemdup() and returned it to the caller, but the caller never freed the memory. Because the contract of report_fixup() does not transfer ownership of the returned pointer to the caller, the allocated buffer leaked on every invocation. Repeated triggering of the code path can exhaust kernel memory and lead to a denial-of-service condition on affected systems.
Critical Impact
A local, low-privileged user with the ability to attach or interact with Apple HID devices can trigger repeated kernel memory leaks, leading to resource exhaustion and system availability impact.
Affected Products
- Linux Kernel (multiple stable branches prior to the fix commits)
- Linux Kernel 7.0-rc1
- Linux Kernel 7.0-rc2
Discovery Timeline
- 2026-04-22 - CVE-2026-31520 published to NVD
- 2026-04-28 - Last updated in NVD database
Technical Details for CVE-2026-31520
Vulnerability Analysis
The vulnerability resides in drivers/hid/hid-apple.c within the apple_report_fixup() function. The HID core invokes report_fixup() to allow individual drivers to patch the report descriptor (rdesc) of a connected device before parsing. The expected contract permits a driver to either return the original input pointer unchanged or return a sub-portion of the input buffer whose lifetime is managed by the HID core.
The Apple driver violated this contract by calling kmemdup() to allocate a fresh copy of the report descriptor, modifying it, and returning the new pointer. The HID core caller does not take ownership of returned pointers and therefore never released the duplicated buffer. Each device probe path that runs apple_report_fixup() leaks the allocation. Devices that repeatedly disconnect and reconnect, or attackers with USB or Bluetooth HID access who replay enumeration, amplify the leak.
Root Cause
The root cause is an ownership and lifetime mismatch between the driver implementation and the kernel's HID API contract. The apple_report_fixup() function returned heap-allocated memory through an interface that does not free it [CWE-401]. The fix refactors the function so that the report descriptor is patched in place or the duplicated buffer's lifetime is properly managed by the driver itself.
Attack Vector
Exploitation requires local access with low privileges and no user interaction. An attacker who can attach an Apple HID device, or who can cause repeated HID probe events on a system with the Apple driver loaded, drives the leak. Because the impact is limited to availability and confidentiality and integrity are unaffected, this vulnerability is suitable for denial-of-service scenarios rather than privilege escalation. No public proof-of-concept code or exploit is currently available for CVE-2026-31520.
The fix is documented in the upstream kernel patches; see the Linux stable tree commit be1a341 and related backports for technical details.
Detection Methods for CVE-2026-31520
Indicators of Compromise
- Gradual, unexplained growth in kernel kmalloc slab usage reported by /proc/slabinfo on hosts with the Apple HID driver loaded.
- Repeated HID device probe and disconnect events in dmesg corresponding to Apple vendor IDs.
- Out-of-memory (OOM) killer activity on systems that interact with Apple HID peripherals over extended uptime.
Detection Strategies
- Audit running kernel versions across the fleet and compare against the fixed commits listed in the vendor advisories.
- Enable kmemleak on test or canary systems to confirm the leak signature in apple_report_fixup().
- Correlate USB and Bluetooth HID enumeration logs with kernel memory pressure metrics to identify abuse patterns.
Monitoring Recommendations
- Monitor host metrics for sustained kernel slab growth, particularly kmalloc-* caches, on Linux endpoints and servers.
- Alert on repeated USB or Bluetooth device attach events from the same vendor over short time windows.
- Track kernel version inventory continuously so that unpatched hosts running affected releases are flagged for remediation.
How to Mitigate CVE-2026-31520
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced in the advisory and reboot affected systems.
- Inventory all Linux hosts running affected kernel versions and prioritize systems that expose USB or Bluetooth HID interfaces to untrusted users.
- Restrict physical and wireless HID access on shared or kiosk systems where applying the kernel update is delayed.
Patch Information
The fix is committed to the mainline and stable Linux kernel trees. Relevant patch commits include 239c151, 2635d0c, 31860c3, be1a341, e2f090a, and e652ebd. Distribution maintainers have backported these fixes; consult your Linux vendor's security tracker for the corresponding package version.
Workarounds
- Blacklist the hid_apple kernel module on systems that do not require Apple HID device support.
- Use udev rules to deny attachment of Apple vendor HID devices on hardened systems pending patch deployment.
- Schedule periodic reboots on long-running hosts that cannot be patched immediately to reclaim leaked kernel memory.
# Blacklist the hid_apple module until patched kernel is deployed
echo "blacklist hid_apple" | sudo tee /etc/modprobe.d/blacklist-hid-apple.conf
sudo update-initramfs -u
sudo reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

