CVE-2026-31720: Linux Kernel Buffer Overflow Vulnerability

CVE-2026-31720 Overview

CVE-2026-31720 is a stack out-of-bounds write vulnerability in the Linux kernel's USB gadget subsystem, specifically within the f_uac1_legacy (USB Audio Class 1 legacy) function driver. The flaw resides in f_audio_complete(), which copies a host-controlled req->length number of bytes into a fixed 4-byte stack variable using memcpy. Because the length field originates from the USB request path controlled by the host, an attacker can trigger a stack buffer overflow on the device acting as a USB gadget. The vulnerability is tracked under [CWE-787: Out-of-bounds Write].

Critical Impact

A local attacker with the ability to send crafted USB control requests to a Linux system configured as a USB audio gadget can corrupt kernel stack memory, leading to potential kernel code execution, privilege escalation, or denial of service.

Affected Products

• Linux Kernel (multiple stable branches prior to the fix)
• Linux Kernel 7.0 release candidates rc1 through rc6
• Systems using the f_uac1_legacy USB gadget function driver

Discovery Timeline

• 2026-05-01 - CVE-2026-31720 published to NVD
• 2026-05-06 - Last updated in NVD database

Technical Details for CVE-2026-31720

Vulnerability Analysis

The vulnerability exists in the f_audio_complete() callback inside drivers/usb/gadget/function/f_uac1_legacy.c. When a USB control transfer completes, the callback decodes audio class control selector data from the request buffer. The flawed code declares a 4-byte stack variable u32 data = 0 and then performs memcpy(&data, req->buf, req->length) without bounding req->length to the size of data. The req->length value reflects the transfer size requested by the USB host, meaning an attacker controlling the host side can specify a payload larger than 4 bytes and overflow the kernel stack frame.

Exploitation requires local access to the USB interface of the gadget device, such as physical USB connection or control over a paired host machine. A successful overflow corrupts adjacent stack data, including saved registers and return addresses, which can be leveraged for kernel code execution depending on stack canary configuration and kernel hardening.

Root Cause

The root cause is missing input validation on a host-supplied length field before it is used as the size argument to memcpy. The driver trusted req->length and req->actual without comparing them against the size of the destination buffer or the expected payload size for the supported USB Audio Class control selectors.

Attack Vector

An attacker connects a malicious USB host to a Linux device running the f_uac1_legacy gadget function. The attacker issues a USB audio class control request with a crafted wLength that exceeds 4 bytes. When the gadget completes the transfer, the kernel performs an unbounded memcpy into the stack variable, writing attacker-controlled bytes beyond the destination boundary. The vulnerability is reachable only on systems explicitly configured as USB audio gadgets, which limits the exposed attack surface to embedded devices, development boards, and Linux-based peripherals.

No public proof-of-concept code has been released for this vulnerability.

Detection Methods for CVE-2026-31720

Indicators of Compromise

• Unexpected kernel oops or panic messages referencing f_audio_complete or f_uac1_legacy in dmesg or /var/log/kern.log.
• Stack protector warnings (stack-protector: Kernel stack is corrupted) on systems built with CONFIG_STACKPROTECTOR.
• Unusual USB control transfers with wLength values larger than expected for UAC1 control selectors.

Detection Strategies

• Audit running kernels and loaded modules for the usb_f_uac1_legacy module using lsmod | grep uac1 and verify whether the host is configured as a USB gadget.
• Compare installed kernel versions against the fixed commits referenced in the kernel.org stable tree to confirm patch status.
• Monitor kernel crash telemetry for repeated faults originating from the USB gadget subsystem, which can indicate exploitation attempts.

Monitoring Recommendations

• Forward kernel logs to a centralized logging or SIEM platform and alert on USB gadget driver faults.
• Track USB device enumeration events on gadget-capable systems and flag connections from unrecognized hosts.
• Apply kernel runtime integrity monitoring on embedded Linux devices that expose USB gadget interfaces.

How to Mitigate CVE-2026-31720

Immediate Actions Required

• Upgrade affected Linux kernels to a stable release containing the validation fix for f_uac1_legacy referenced in the kernel.org stable commits.
• On systems that do not require USB audio gadget functionality, unload the usb_f_uac1_legacy module and disable CONFIG_USB_F_UAC1_LEGACY in the kernel configuration.
• Restrict physical access to USB ports on devices that operate in gadget mode, particularly embedded and IoT deployments.

Patch Information

The Linux kernel maintainers have merged fixes across multiple stable branches. The patch validates req->actual against the expected payload size for each supported control selector and decodes only the expected amount of data, preventing host-influenced length values from reaching memcpy. Patch commits include 0d41772d, 21b11e85, 26304d12, 557d1d4e, 6e0e34d8, 8e5eb1d6, be2d32f0, and c6da4fed in the kernel.org stable tree.

Workarounds

• Disable the USB audio gadget configuration in configfs by removing the f_uac1_legacy function binding from active gadget configurations.
• Replace f_uac1_legacy with the modern f_uac1 driver where supported by the kernel and userspace tooling.
• Apply USB device authorization policies using /sys/bus/usb/devices/usbN/authorized_default to block untrusted hosts on multi-role USB controllers.

# Disable the f_uac1_legacy module on systems that do not need USB audio gadget support
sudo rmmod usb_f_uac1_legacy
echo "blacklist usb_f_uac1_legacy" | sudo tee /etc/modprobe.d/blacklist-uac1-legacy.conf
sudo update-initramfs -u

# Verify the running kernel version after patching
uname -r