{"id":"CVE-2026-31720","summary":"usb: gadget: f_uac1_legacy: validate control request size","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_uac1_legacy: validate control request size\n\nf_audio_complete() copies req-\u003elength bytes into a 4-byte stack\nvariable:\n\n  u32 data = 0;\n  memcpy(&data, req-\u003ebuf, req-\u003elength);\n\nreq-\u003elength is derived from the host-controlled USB request path,\nwhich can lead to a stack out-of-bounds write.\n\nValidate req-\u003eactual against the expected payload size for the\nsupported control selectors and decode only the expected amount\nof data.\n\nThis avoids copying a host-influenced length into a fixed-size\nstack object.","modified":"2026-05-18T05:58:44.385969633Z","published":"2026-05-01T14:14:22.832Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31720.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0d41772d98dcaf6c17e875b7d0ea0154ae1191ee"},{"type":"WEB","url":"https://git.kernel.org/stable/c/21b11e8581285c6f10ef43d05df349d445f24273"},{"type":"WEB","url":"https://git.kernel.org/stable/c/26304d124e7f0383f8fe1168b5801a0ac7e16b1c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/557d1d4e862eccd0b74cc377b66de3e1e8d49605"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6e0e34d85cd46ceb37d16054e97a373a32770f6c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8e5eb1d6e6a3d7bbea9c92132d0cda5793176426"},{"type":"WEB","url":"https://git.kernel.org/stable/c/be2d32f0c3fe333d14c0a9ca90328dacbc3e06b8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c6da4fed7537aec19880c24f6c3a95065adb1406"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31720.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31720"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"c6994e6f067cf0fc4c6cca3d164018b1150916f8"},{"fixed":"557d1d4e862eccd0b74cc377b66de3e1e8d49605"},{"fixed":"21b11e8581285c6f10ef43d05df349d445f24273"},{"fixed":"0d41772d98dcaf6c17e875b7d0ea0154ae1191ee"},{"fixed":"c6da4fed7537aec19880c24f6c3a95065adb1406"},{"fixed":"be2d32f0c3fe333d14c0a9ca90328dacbc3e06b8"},{"fixed":"8e5eb1d6e6a3d7bbea9c92132d0cda5793176426"},{"fixed":"26304d124e7f0383f8fe1168b5801a0ac7e16b1c"},{"fixed":"6e0e34d85cd46ceb37d16054e97a373a32770f6c"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31720.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.6.31"},{"fixed":"5.10.253"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.203"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.168"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.134"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.81"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.22"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.12"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31720.json"}}],"schema_version":"1.7.5"}