CVE-2026-31720

usb: gadget: f_uac1_legacy: validate control request size

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_uac1_legacy: validate control request size f_audio_complete() copies req->length bytes into a 4-byte stack
variable: u32 data = 0; memcpy(&data, req->buf, req->length); req->length is derived from the host-controlled USB request path,
which can lead to a stack out-of-bounds write. Validate req->actual against the expected payload size for the
supported control selectors and decode only the expected amount
of data. This avoids copying a host-influenced length into a fixed-size
stack object.

*Credits: N/A

CVSS Scores

NISTv3.1 7.8

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2026-03-09 CVE Reserved
2026-05-01 CVE Published
2026-05-07 EPSS Updated
2026-05-11 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-787: Out-of-bounds Write

CAPEC

References (9)

URL	Tag	Source
https://git.kernel.org/stable/c/c6994e6f067cf0fc4c6cca3d164018b1150916f8	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/557d1d4e862eccd0b74cc377b66de3e1e8d49605	2026-04-18
https://git.kernel.org/stable/c/21b11e8581285c6f10ef43d05df349d445f24273	2026-04-18
https://git.kernel.org/stable/c/0d41772d98dcaf6c17e875b7d0ea0154ae1191ee	2026-04-11
https://git.kernel.org/stable/c/c6da4fed7537aec19880c24f6c3a95065adb1406	2026-04-11
https://git.kernel.org/stable/c/be2d32f0c3fe333d14c0a9ca90328dacbc3e06b8	2026-04-11
https://git.kernel.org/stable/c/8e5eb1d6e6a3d7bbea9c92132d0cda5793176426	2026-04-11
https://git.kernel.org/stable/c/26304d124e7f0383f8fe1168b5801a0ac7e16b1c	2026-04-11
https://git.kernel.org/stable/c/6e0e34d85cd46ceb37d16054e97a373a32770f6c	2026-04-02

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.31 < 5.10.253 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.31 < 5.10.253"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.31 < 5.15.203 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.31 < 5.15.203"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.31 < 6.1.168 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.31 < 6.1.168"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.31 < 6.6.134 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.31 < 6.6.134"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.31 < 6.12.81 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.31 < 6.12.81"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.31 < 6.18.22 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.31 < 6.18.22"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.31 < 6.19.12 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.31 < 6.19.12"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.31 < 7.0 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.31 < 7.0"		en		Affected