CVE-2026-31624

s32ton() shifts by n-1 where n is the field's reportsize, a value that comes directly from a HID device. The HID parser bounds reportsize only to <= 256, so a broken HID device can supply a report descriptor with a wide field that triggers shift exponents up to 256 on a 32-bit type when an output report is built via hidoutputfield() or hidsetfield().

Commit ec61b41918587 ("HID: core: fix shift-out-of-bounds in hidreportraw_event") added the same n > 32 clamp to the function snto32(), but s32ton() was never given the same fix as I guess syzbot hadn't figured out how to fuzz a device the same way.

Fix this up by just clamping the max value of n, just like snto32() does.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31624.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

dde5845a529ff753364a6d1aea61180946270bfa

Fixed

932ae5309e53561197aa7d1606c7cf63af10e24f

Fixed

58386f00af710922cafb0fb69211497beddfaa95

Fixed

8a8333237f1f5caab8d4c3d2c2e7578c4263a97f

Fixed

ea363a34086ddb4231adc581a7f36c39ec154bfc

Fixed

97014719bb8fccb1ffcbbc299e84b1f11b114195

Fixed

69c02ffde6ed4d535fa4e693a9e572729cad3d0d

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31624.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.6.20

Fixed

6.6.136

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.83

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.18.24

Type: ECOSYSTEM
Events: Introduced

6.19.0

Fixed

6.19.14

Type: ECOSYSTEM
Events: Introduced

6.20.0

Fixed

7.0.1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31624.json"