CVE-2026-31401 Linux CVE debrief

Who should care

Linux kernel maintainers, distro security teams, and operators running kernels with HID-BPF support should review this issue. It matters most on systems where local users or local workloads can reach the affected kernel path.

Technical summary

NVD classifies the flaw as CWE-787 (out-of-bounds write/buffer overflow). The supplied description says hid_hw_request trusts the return value from dispatch_hid_bpf_raw_requests(), but that value can be arbitrarily large when HID-BPF struct_ops are involved. NVD’s CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating a locally reachable kernel memory corruption bug with potentially severe confidentiality, integrity, and availability impact. NVD’s vulnerable CPE ranges include Linux kernel 6.11 through before 6.12.78, 6.13 through before 6.18.20, 6.19 through before 6.19.10, and 7.0-rc1 through 7.0-rc4.

Defensive priority

High

Recommended defensive actions

• Apply the referenced Linux kernel fixes from the official stable/kernel.org patch links.
• Upgrade affected kernels out of the vulnerable ranges listed by NVD, or ensure your vendor kernel includes the backport.
• Verify any downstream or distro kernel builds have incorporated the HID-BPF fix, not just the upstream commit.
• Prioritize hosts that allow untrusted local users, containers, or sandbox escapes to reach the kernel path.
• Track vendor advisories for exact fixed package versions if you rely on distribution backports.

Evidence notes

The description and severity/vector come from the supplied NVD record. Affected-version ranges are taken from the NVD CPE criteria in the source item. The four kernel.org URLs are official patch references, but the patch contents themselves were not included in the supplied corpus, so this debrief avoids claiming exact code changes beyond the CVE description.

Official resources