Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-04-24T00:00:00 kernel: HID: core: clamp report_size in s32ton() to avoid undefined shift 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CWE-1335

In the Linux kernel, the following vulnerability has been resolved: HID: core: clamp report_size in s32ton() to avoid undefined shift s32ton() shifts by n-1 where n is the field's report_size, a value that comes directly from a HID device. The HID parser bounds report_size only to <= 256, so a broken HID device can supply a report descriptor with a wide field that triggers shift exponents up to 256 on a 32-bit type when an output report is built via hid_output_field() or hid_set_field(). Commit ec61b41918587 ("HID: core: fix shift-out-of-bounds in hid_report_raw_event") added the same n > 32 clamp to the function snto32(), but s32ton() was never given the same fix as I guess syzbot hadn't figured out how to fuzz a device the same way. Fix this up by just clamping the max value of n, just like snto32() does.

A flaw was found in the Linux kernel's Human Interface Device (HID) core. A malicious or malformed HID device could provide a specially crafted report descriptor with an overly large `report_size` value. This could lead to an undefined shift operation within the `s32ton()` function when processing output reports. This vulnerability may result in system instability or a denial of service (DoS).

HID `s32ton()` now clamps `report_size` so pathological descriptors cannot provoke undefined left-shift behavior. Red Hat treats this as local USB/HID attack surface hardening. Core HID is not practically unloadable; patch kernels. Red Hat Enterprise Linux 10 Fix deferred kernel Red Hat Enterprise Linux 6 Not affected kernel Red Hat Enterprise Linux 7 Fix deferred kernel Red Hat Enterprise Linux 7 Fix deferred kernel-rt Red Hat Enterprise Linux 8 Fix deferred kernel Red Hat Enterprise Linux 8 Fix deferred kernel-rt Red Hat Enterprise Linux 9 Fix deferred kernel Red Hat Enterprise Linux 9 Fix deferred kernel-rt https://www.cve.org/CVERecord?id=CVE-2026-31624 https://nvd.nist.gov/vuln/detail/CVE-2026-31624 https://lore.kernel.org/linux-cve-announce/2026042426-CVE-2026-31624-e19a@gregkh/T