Skip to main content

Linux Kernel CVE-2026-43111

| EUVDEUVD-2026-27633 HIGH
Use After Free (CWE-416)
2026-05-06 Linux GHSA-mv3m-x6qp-j4p5
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:27 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
7.8 (HIGH)
Patch available
May 06, 2026 - 11:31 EUVD
CVE Published
May 06, 2026 - 07:40 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

HID: roccat: fix use-after-free in roccat_report_event

roccat_report_event() iterates over the device->readers list without holding the readers_lock. This allows a concurrent roccat_release() to remove and free a reader while it's still being accessed, leading to a use-after-free.

Protect the readers list traversal with the readers_lock mutex.

AnalysisAI

Race condition in Linux kernel HID roccat driver enables local privilege escalation through use-after-free memory corruption. Local authenticated attackers can exploit concurrent access to device reader lists during roccat_report_event() operations, achieving arbitrary code execution with high integrity impact (CVSS 7.8). Vendor-released patches available across multiple kernel branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability despite moderate severity, suggesting limited weaponization in current threat landscape.

Technical ContextAI

The vulnerability exists in the Linux kernel's Human Interface Device (HID) subsystem, specifically the roccat driver used for Roccat gaming peripherals. The roccat_report_event() function traverses the device->readers linked list without acquiring the readers_lock mutex, creating a time-of-check-time-of-use race condition. When roccat_release() executes concurrently on another thread, it can remove and deallocate a reader structure while roccat_report_event() still holds a pointer to it, resulting in a classic use-after-free condition. This represents a CWE-416 class vulnerability (Use After Free) where freed heap memory is accessed, potentially allowing arbitrary memory reads/writes depending on heap allocation patterns. The roccat driver facilitates communication with Roccat brand HID devices through a character device interface with multiple concurrent reader processes.

RemediationAI

Upgrade to patched kernel versions: 6.6.136+ for 6.6.x series, 6.12.83+ for 6.12.x series, 6.18.24+ for 6.18.x series, 6.19.14+ for 6.19.x series, or 7.0+ for mainline. Patches available at git.kernel.org stable tree commits e6a445513fbc, e16a6d11bd77, 36bb2d0b9150, bca0b595e154, and d802d848308b. For systems unable to immediately patch, disable the roccat kernel module via blacklist configuration in /etc/modprobe.d/blacklist.conf (add 'blacklist hid_roccat') and reboot, or remove Roccat HID devices physically. This mitigation eliminates attack surface but renders Roccat peripherals non-functional. Alternatively, restrict local shell access to trusted users only and monitor for unusual kernel module activity. Organizations without Roccat gaming hardware can verify the hid_roccat module is not loaded via lsmod and deprioritize patching relative to other vulnerabilities.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43111 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy