CVE-2026-31624 Overview
A shift-out-of-bounds vulnerability exists in the Linux kernel's HID (Human Interface Device) core subsystem, specifically in the s32ton() function. This function performs bitwise shift operations based on the report_size field value, which comes directly from HID device descriptors. A malicious or malfunctioning HID device can supply a report descriptor with an excessively large field value (up to 256), causing undefined behavior when shift operations exceed the valid range for 32-bit types during output report generation.
Critical Impact
A malicious USB HID device can trigger undefined shift behavior in the kernel, potentially causing system instability or denial of service when building output reports via hid_output_field() or hid_set_field().
Affected Products
- Linux Kernel (multiple versions)
- Linux Kernel versions from 2.6.20 onwards
- Systems with HID device support enabled
Discovery Timeline
- 2026-04-24 - CVE CVE-2026-31624 published to NVD
- 2026-04-28 - Last updated in NVD database
Technical Details for CVE-2026-31624
Vulnerability Analysis
The vulnerability resides in the HID core subsystem's s32ton() function, which converts signed 32-bit integers to n-bit representations. This function performs a left shift operation by n-1 bits, where n corresponds to the report_size field from HID device descriptors. The HID parser only validates that report_size is less than or equal to 256, but does not enforce the 32-bit boundary required for safe shift operations on 32-bit integer types.
When an attacker connects a specially crafted HID device (such as a malicious USB keyboard, mouse, or other input device), the device can supply a report descriptor containing an abnormally large report_size value. When the kernel subsequently calls hid_output_field() or hid_set_field() to build output reports, the s32ton() function attempts to perform shifts with exponents exceeding 32, resulting in undefined behavior according to the C standard.
This vulnerability is analogous to a previous issue fixed in commit ec61b41918587 where the companion function snto32() received a similar clamp fix. The s32ton() function was overlooked during that remediation, likely because fuzzing tools had not yet discovered a path to trigger it.
Root Cause
The root cause is insufficient input validation in the s32ton() function. While the HID parser bounds report_size to 256, the function does not clamp the value before using it as a shift exponent on 32-bit types. Shifting a 32-bit integer by more than 31 bits results in undefined behavior in C, which can manifest as incorrect values, crashes, or other unpredictable system behavior.
Attack Vector
This vulnerability requires local access with the ability to connect a USB device or emulate a HID device. An attacker can exploit this by:
- Creating a malicious HID device (physical or emulated) with a crafted report descriptor
- Connecting the device to the target Linux system
- The kernel parses the HID report descriptor containing an oversized report_size field
- When output reports are generated, the vulnerable s32ton() function triggers undefined shift behavior
The attack can be performed using USB device emulation tools or by modifying the firmware of programmable USB devices.
Detection Methods for CVE-2026-31624
Indicators of Compromise
- Kernel panic or oops messages referencing the HID subsystem or s32ton function
- System instability or crashes occurring after connecting USB HID devices
- UBSAN (Undefined Behavior Sanitizer) warnings in kernel logs about shift-out-of-bounds operations
- Unexpected HID device connection events from unknown or untrusted devices
Detection Strategies
- Monitor kernel logs for undefined behavior sanitizer warnings related to shift operations in HID code paths
- Implement USB device whitelisting to prevent unauthorized HID device connections
- Deploy endpoint detection solutions that monitor for suspicious USB device enumeration patterns
- Enable kernel debugging options (CONFIG_UBSAN) to detect undefined behavior at runtime
Monitoring Recommendations
- Configure auditd to log all USB device connection events for forensic analysis
- Monitor for repeated HID device connection/disconnection cycles that may indicate exploitation attempts
- Set up alerts for kernel oops or panic events mentioning HID subsystem components
- Review USB device authorization policies and logs regularly for anomalous activity
How to Mitigate CVE-2026-31624
Immediate Actions Required
- Update the Linux kernel to a patched version that includes the s32ton() clamp fix
- Restrict physical access to USB ports on sensitive systems
- Disable USB HID device auto-enumeration on critical systems where possible
- Enable USB device authorization to require explicit approval for new HID devices
Patch Information
The Linux kernel maintainers have released patches across multiple stable branches to address this vulnerability. The fix adds a clamp operation to the s32ton() function, limiting the shift exponent to a maximum of 32 bits, consistent with the existing fix in the snto32() function.
Patches are available from the following kernel git commits:
- Kernel Git Commit 58386f0
- Kernel Git Commit 69c02ff
- Kernel Git Commit 8a8333
- Kernel Git Commit 932ae5
- Kernel Git Commit 970147
- Kernel Git Commit ea363a3
Workarounds
- Disable USB ports via BIOS/UEFI settings on systems where USB input devices are not required
- Use USB port blockers or physical security measures to prevent unauthorized device connections
- Implement kernel module blacklisting for specific HID drivers if they are not needed
- Enable and configure USBGuard to create allowlists of authorized USB devices
# USBGuard configuration to restrict HID devices
# Install and enable USBGuard
sudo apt install usbguard
sudo systemctl enable usbguard
# Generate initial policy (allow currently connected devices)
sudo usbguard generate-policy > /etc/usbguard/rules.conf
# Block new HID devices by default - add to rules.conf
# reject with-interface one-of { 03:*:* }
# Apply and restart
sudo systemctl restart usbguard
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
