{"id":"CVE-2026-31624","summary":"HID: core: clamp report_size in s32ton() to avoid undefined shift","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nHID: core: clamp report_size in s32ton() to avoid undefined shift\n\ns32ton() shifts by n-1 where n is the field's report_size, a value that\ncomes directly from a HID device.  The HID parser bounds report_size\nonly to \u003c= 256, so a broken HID device can supply a report descriptor\nwith a wide field that triggers shift exponents up to 256 on a 32-bit\ntype when an output report is built via hid_output_field() or\nhid_set_field().\n\nCommit ec61b41918587 (\"HID: core: fix shift-out-of-bounds in\nhid_report_raw_event\") added the same n \u003e 32 clamp to the function\nsnto32(), but s32ton() was never given the same fix as I guess syzbot\nhadn't figured out how to fuzz a device the same way.\n\nFix this up by just clamping the max value of n, just like snto32()\ndoes.","modified":"2026-05-18T05:59:52.464657126Z","published":"2026-04-24T14:42:41.655Z","related":["CGA-363w-h5r8-6xjf","openSUSE-SU-2026:10703-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31624.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/58386f00af710922cafb0fb69211497beddfaa95"},{"type":"WEB","url":"https://git.kernel.org/stable/c/69c02ffde6ed4d535fa4e693a9e572729cad3d0d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8a8333237f1f5caab8d4c3d2c2e7578c4263a97f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/932ae5309e53561197aa7d1606c7cf63af10e24f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/97014719bb8fccb1ffcbbc299e84b1f11b114195"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ea363a34086ddb4231adc581a7f36c39ec154bfc"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31624.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31624"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"dde5845a529ff753364a6d1aea61180946270bfa"},{"fixed":"932ae5309e53561197aa7d1606c7cf63af10e24f"},{"fixed":"58386f00af710922cafb0fb69211497beddfaa95"},{"fixed":"8a8333237f1f5caab8d4c3d2c2e7578c4263a97f"},{"fixed":"ea363a34086ddb4231adc581a7f36c39ec154bfc"},{"fixed":"97014719bb8fccb1ffcbbc299e84b1f11b114195"},{"fixed":"69c02ffde6ed4d535fa4e693a9e572729cad3d0d"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31624.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.6.20"},{"fixed":"6.6.136"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.83"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.24"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.14"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.20.0"},{"fixed":"7.0.1"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31624.json"}}],"schema_version":"1.7.5"}