{
  "threat_severity" : "Low",
  "public_date" : "2026-04-03T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: HID: bpf: prevent buffer overflow in hid_hw_request",
    "id" : "2454818",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2454818"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-131",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nHID: bpf: prevent buffer overflow in hid_hw_request\nright now the returned value is considered to be always valid. However,\nwhen playing with HID-BPF, the return value can be arbitrary big,\nbecause it's the return value of dispatch_hid_bpf_raw_requests(), which\ncalls the struct_ops and we have no guarantees that the value makes\nsense.", "A flaw was found in the Linux kernel's Human Interface Device (HID) BPF (Berkeley Packet Filter) component. This vulnerability occurs in the `hid_hw_request` function, where an uncontrolled return value from `dispatch_hid_bpf_raw_requests()` can lead to a buffer overflow. This could allow a local attacker to cause memory corruption, potentially leading to a denial of service or information disclosure." ],
  "statement" : "HID-BPF struct_ops can return an arbitrary length; the driver previously trusted it for sizing. Loading malicious BPF requires privileges (for example CAP_BPF / perfmon depending on configuration). Clamping the return value prevents overflow.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31401\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31401\nhttps://lore.kernel.org/linux-cve-announce/2026040327-CVE-2026-31401-697d@gregkh/T" ],
  "name" : "CVE-2026-31401",
  "csaw" : false
}