CVE-2026-31522 Overview
CVE-2026-31522 is a memory leak vulnerability in the Linux kernel's HID (Human Interface Device) subsystem, specifically affecting the Magic Mouse driver. The magicmouse_report_fixup() function was allocating memory using kmemdup() to create a new buffer but never freeing it, resulting in a kernel memory leak that could potentially lead to system resource exhaustion over time.
Critical Impact
Systems with Magic Mouse devices connected may experience gradual memory depletion as the kernel driver leaks memory with each report fixup operation, potentially leading to system instability or denial of service conditions.
Affected Products
- Linux kernel (multiple stable versions affected)
- Systems using the HID Magic Mouse driver (hid-magicmouse module)
- Apple Magic Mouse devices connected to Linux systems
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-31522 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-31522
Vulnerability Analysis
The vulnerability exists in the magicmouse_report_fixup() function within the Linux kernel's HID Magic Mouse driver. This function is responsible for modifying HID report descriptors to properly handle Magic Mouse input. The function was incorrectly using kmemdup() to allocate a new buffer for the modified report descriptor.
The core issue is a misunderstanding of the memory ownership model in the HID subsystem. The caller of report_fixup() does not take ownership of the returned pointer. The function is permitted to return a sub-portion of the input rdesc, whose lifetime is managed by the caller. By allocating new memory and returning it, the function created an orphaned allocation that could never be freed, as the caller assumed no ownership responsibility.
Each time the Magic Mouse driver processes a report fixup, memory is allocated but never released back to the kernel memory pool. On systems with connected Magic Mouse devices, this can lead to cumulative memory consumption over time.
Root Cause
The root cause is improper memory management in the magicmouse_report_fixup() function. The function used kmemdup() to create a copy of the report descriptor buffer and returned this newly allocated buffer. However, the HID subsystem's report_fixup callback contract does not transfer memory ownership to the caller, meaning no component was responsible for freeing the allocated memory.
The correct approach is to either modify the input buffer in-place or return a pointer to a static/pre-allocated buffer rather than dynamically allocating memory that will never be freed.
Attack Vector
This vulnerability has an unknown attack vector classification. While memory leak vulnerabilities typically require local access and device interaction, the practical exploitation scenario involves:
The memory leak is triggered through normal device operation when a Magic Mouse is connected to a Linux system. An attacker with local access could potentially exploit this by repeatedly triggering conditions that invoke the magicmouse_report_fixup() function, accelerating memory exhaustion. However, passive exploitation through normal device usage would also gradually deplete system memory over extended periods of operation.
Detection Methods for CVE-2026-31522
Indicators of Compromise
- Gradual increase in kernel memory usage (slab allocations) on systems with Magic Mouse devices
- Memory allocation patterns associated with the hid-magicmouse kernel module
- System memory exhaustion warnings in kernel logs (dmesg)
- Unusual growth in kmalloc-* slab caches over time
Detection Strategies
- Monitor kernel slab allocations using /proc/slabinfo for unexplained growth patterns
- Track memory usage trends on systems with connected Magic Mouse devices
- Implement kernel memory leak detection tools such as kmemleak to identify orphaned allocations
- Review system logs for out-of-memory (OOM) conditions that may indicate chronic memory leakage
Monitoring Recommendations
- Deploy system monitoring to track kernel memory consumption over extended periods
- Configure alerts for abnormal memory growth patterns on workstations with HID devices
- Use SentinelOne's Linux agent to monitor kernel module behavior and resource consumption
- Periodically audit loaded kernel modules and their memory footprint
How to Mitigate CVE-2026-31522
Immediate Actions Required
- Update to a patched Linux kernel version that includes the memory leak fix
- Monitor affected systems for memory exhaustion symptoms until patches can be applied
- Consider temporarily unloading the hid-magicmouse module on critical systems if Magic Mouse functionality is not required
- Implement scheduled system reboots as a temporary workaround to reclaim leaked memory
Patch Information
The Linux kernel development team has released patches to address this vulnerability across multiple stable kernel branches. The fix corrects the memory management in magicmouse_report_fixup() to avoid orphaned memory allocations.
Patch commits are available from the kernel.org stable git repository:
- Kernel Git Commit 136f605
- Kernel Git Commit 579c4c9
- Kernel Git Commit 79e5dcc
- Kernel Git Commit 7edfe43
- Kernel Git Commit 91e8c6e
- Kernel Git Commit d84c21a
- Kernel Git Commit fa95b01
Workarounds
- Unload the hid-magicmouse kernel module if Magic Mouse functionality is not required: modprobe -r hid-magicmouse
- Blacklist the module to prevent automatic loading by adding blacklist hid-magicmouse to /etc/modprobe.d/blacklist.conf
- Schedule periodic system reboots to reclaim leaked kernel memory on systems that cannot be immediately patched
- Use alternative pointing devices that do not require the affected driver
# Temporary workaround: Unload and blacklist the affected module
sudo modprobe -r hid-magicmouse
echo "blacklist hid-magicmouse" | sudo tee /etc/modprobe.d/blacklist-magicmouse.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
