CVE-2026-31720

by Fred · 01/05/2026

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: f_uac1_legacy: validate control request size

f_audio_complete() copies req->length bytes into a 4-byte stack
variable:

u32 data = 0;
memcpy(&data, req->buf, req->length);

req->length is derived from the host-controlled USB request path,
which can lead to a stack out-of-bounds write.

Validate req->actual against the expected payload size for the
supported control selectors and decode only the expected amount
of data.

This avoids copying a host-influenced length into a fixed-size
stack object.