Skip to main content

Linux Kernel CVE-2026-43049

| EUVDEUVD-2026-26648 HIGH
Use After Free (CWE-416)
2026-05-01 Linux
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 07, 2026 - 21:15 vuln.today
CVSS changed
May 07, 2026 - 19:07 NVD
7.8 (HIGH)
Patch available
May 01, 2026 - 16:33 EUVD
Patch released
May 01, 2026 - 15:24 nvd
Patch available
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26648
CVE Published
May 01, 2026 - 14:15 nvd
HIGH 7.8
CVE Published
May 01, 2026 - 14:15 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

HID: logitech-hidpp: Prevent use-after-free on force feedback initialisation failure

Presently, if the force feedback initialisation fails when probing the Logitech G920 Driving Force Racing Wheel for Xbox One, an error number will be returned and propagated before the userspace infrastructure (sysfs and /dev/input) has been torn down. If userspace ignores the errors and continues to use its references to these dangling entities, a UAF will promptly follow.

We have 2 options; continue to return the error, but ensure that all of the infrastructure is torn down accordingly or continue to treat this condition as a warning by emitting the message but returning success. It is thought that the original author's intention was to emit the warning but keep the device functional, less the force feedback feature, so let's go with that.

AnalysisAI

Use-after-free in Linux kernel HID subsystem allows local attackers with low privileges to achieve arbitrary code execution, privilege escalation, or denial of service when force feedback initialization fails on Logitech G920 racing wheels. The vulnerability occurs when userspace continues accessing freed memory structures (sysfs and /dev/input) after initialization errors. Vendor patches available across multiple stable kernel branches (6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (5th percentile) indicates very low probability of mass exploitation, consistent with hardware-specific local attack surface requiring physical device presence.

Technical ContextAI

This vulnerability affects the Linux kernel HID (Human Interface Device) subsystem, specifically the logitech-hidpp driver that handles advanced Logitech gaming peripherals. The root cause is CWE-416 (Use After Free) occurring during device probe operations. When force feedback (FF) initialization fails for the Logitech G920 Driving Force Racing Wheel, the driver returns an error but fails to properly tear down userspace-facing infrastructure including sysfs entries and /dev/input device nodes. If userspace processes maintain file descriptors or references to these structures and continue I/O operations, they access freed kernel memory. The affected code path involves the device probe sequence where resource cleanup ordering is incorrect, violating the principle that all externally-visible interfaces must be removed before freeing backing memory structures. The fix changes error handling to treat FF initialization failure as non-fatal, emitting warnings but maintaining device functionality minus force feedback features.

RemediationAI

Upgrade to patched kernel versions: 6.12.81 or later in 6.12.x series, 6.18.22 or later in 6.18.x series, 6.19.12 or later in 6.19.x series, or 7.0 mainline. Distribution-specific updates from Red Hat, Ubuntu, Debian, SUSE will incorporate these commits into their kernel packages with vendor-specific version numbers. Kernel advisories available at kernel.org stable tree links provided in references. For systems that cannot immediately patch, compensating control is to blacklist the logitech-hidpp kernel module via /etc/modprobe.d/blacklist.conf (add 'blacklist hid_logitech_hidpp'), which prevents the vulnerable driver from loading but also disables all Logitech advanced HID features for affected devices. This workaround is only viable if Logitech G920 wheels are not business-critical peripherals. Alternative mitigation is restricting physical USB port access to prevent untrusted device connections, though this does not protect against attacks by already-authenticated local users with their own gaming peripherals. No significant operational side effects from patching expected as fix maintains device functionality by converting fatal errors to warnings.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43049 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy