CVE-2026-31520
Memory Leak in Linux Kernel HID Apple Report Fixup Function
Publication date: 2026-04-22
Last updated on: 2026-04-28
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | From 6.13 (inc) to 6.18.21 (exc) |
| linux | linux_kernel | From 6.19 (inc) to 6.19.11 (exc) |
| linux | linux_kernel | From 6.2 (inc) to 6.6.131 (exc) |
| linux | linux_kernel | From 6.7 (inc) to 6.12.80 (exc) |
| linux | linux_kernel | From 5.17 (inc) to 6.1.168 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-401 | The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's HID apple driver, specifically in the apple_report_fixup() function. The function was returning a newly allocated memory buffer using kmemdup(), but it never freed this memory, causing a memory leak. The caller of this function does not take ownership of the returned pointer, which means the allocated memory remains unfreed, leading to inefficient memory usage.
How can this vulnerability impact me? :
The primary impact of this vulnerability is a memory leak in the Linux kernel when using the affected apple HID driver. Over time, this can lead to increased memory consumption, potentially degrading system performance or causing resource exhaustion if the leak is significant and persistent.