CVE-2026-31524 Overview
A memory leak vulnerability has been identified in the Linux kernel's HID (Human Interface Device) ASUS driver. The asus_report_fixup() function was returning a newly allocated kmemdup()-allocated buffer without properly freeing it, leading to memory exhaustion over time. Additionally, a harmless out-of-bounds read condition existed due to copying more than the original descriptor size.
Critical Impact
Prolonged exploitation of this memory leak vulnerability can lead to kernel memory exhaustion, potentially causing system instability or denial of service on systems using affected ASUS HID devices.
Affected Products
- Linux Kernel (multiple stable versions)
- Systems with ASUS HID devices utilizing the affected driver
- Linux distributions running unpatched kernel versions
Discovery Timeline
- 2026-04-22 - CVE-2026-31524 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-31524
Vulnerability Analysis
This vulnerability exists within the ASUS HID driver component of the Linux kernel. The asus_report_fixup() function is responsible for modifying HID report descriptors for ASUS devices. When processing these descriptors, the function was using kmemdup() to allocate and copy memory, but the allocated buffer was never freed when it was no longer needed.
The memory leak occurs because the caller of report_fixup() does not take ownership of the returned pointer. While the function is permitted to return a pointer whose lifetime is at least that of the input buffer, the implementation failed to properly manage the allocated memory's lifecycle. This creates a gradual memory consumption issue that compounds each time the function is called.
A secondary issue involved copying more data than the original descriptor size, resulting in an out-of-bounds read. While this read is classified as harmless in this context, it represents an additional code quality concern that was addressed in the fix.
Root Cause
The root cause of this vulnerability is improper memory management in the asus_report_fixup() function. The function used kmemdup() to allocate kernel memory for the report descriptor buffer but lacked corresponding deallocation logic. This is a classic Memory Leak vulnerability pattern where dynamically allocated memory is not properly tracked and released.
Attack Vector
The attack vector for this vulnerability is local, requiring access to a system with an ASUS HID device. An attacker or malicious process could potentially trigger repeated calls to the vulnerable function, accelerating memory consumption. While direct exploitation for code execution is not feasible, the memory exhaustion could be weaponized for denial of service attacks.
The vulnerability mechanism involves the following flow:
- An ASUS HID device is connected or initialized
- The asus_report_fixup() function is called to process the HID report descriptor
- Memory is allocated via kmemdup() but never freed
- Over time or with repeated triggering, kernel memory is exhausted
The fix transitions from kmemdup() to devm_kzalloc(), which ties the memory allocation to the device lifecycle, ensuring automatic cleanup when the device is removed.
Detection Methods for CVE-2026-31524
Indicators of Compromise
- Unusual kernel memory consumption growth over time, particularly in systems with ASUS HID devices
- Kernel slab memory allocation warnings or out-of-memory conditions
- System performance degradation correlated with HID device activity
Detection Strategies
- Monitor kernel memory usage patterns using tools such as slabtop or /proc/meminfo for unexpected growth
- Implement alerting on kmalloc slab usage exceeding normal baselines
- Review system logs for OOM (Out of Memory) killer activity or memory allocation failures
Monitoring Recommendations
- Deploy kernel memory monitoring solutions that track slab allocations over time
- Configure alerts for gradual memory consumption trends in kernel space
- Enable kernel tracing on affected systems to identify memory allocation patterns in HID subsystem
How to Mitigate CVE-2026-31524
Immediate Actions Required
- Update the Linux kernel to a patched version that addresses CVE-2026-31524
- Review systems with ASUS HID devices for signs of memory pressure
- Consider temporarily disabling affected ASUS HID devices on critical systems until patches are applied
- Monitor system memory usage closely on unpatched systems
Patch Information
The Linux kernel maintainers have released patches across multiple stable branches to address this vulnerability. The fix replaces kmemdup() with devm_kzalloc() to ensure proper device-managed memory allocation, and corrects the out-of-bounds read by copying only the original descriptor size.
Patches are available through the following kernel git commits:
- Kernel Git Commit 2bad24c1
- Kernel Git Commit 2e4fe6b1
- Kernel Git Commit 726765b4
- Kernel Git Commit 7a6d6e4d
- Kernel Git Commit 84724ac4
- Kernel Git Commit a41cc7c1
- Kernel Git Commit ede95cfc
- Kernel Git Commit f20f17cf
Workarounds
- Unload the hid-asus kernel module if not required: modprobe -r hid-asus
- Blacklist the affected module by adding blacklist hid-asus to /etc/modprobe.d/blacklist.conf
- Implement memory monitoring and automatic system restarts as a temporary mitigation for production systems
- Use alternative input devices that do not rely on the affected HID driver
# Temporarily disable the hid-asus module
sudo modprobe -r hid-asus
# Permanently blacklist the module (until patched)
echo "blacklist hid-asus" | sudo tee /etc/modprobe.d/blacklist-hid-asus.conf
# Verify module is not loaded
lsmod | grep hid_asus
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
