CVE-2026-31720

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A stack out-of-bounds write exists in the f audio complete() function. The issue occurs because the function copies req->length bytes into a 4-byte stack variable using memcpy(). Since req->length is derived from a host-controlled USB request path, a remote host can influence the length to overwrite the stack.

Recommendations Validate req->actual against the expected payload size for supported control selectors and decode only the expected amount of data to avoid copying host-influenced lengths into fixed-size stack objects.