Skip to main content

Linux Kernel EUVDEUVD-2026-26647

| CVE-2026-43048 HIGH
Out-of-bounds Read (CWE-125)
2026-05-01 Linux
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 03, 2026 - 07:38 vuln.today
CVSS changed
May 03, 2026 - 07:22 NVD
8.8 (HIGH)
Patch released
May 03, 2026 - 07:16 nvd
Patch available
Patch available
May 01, 2026 - 16:33 EUVD
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26647
Analysis Generated
May 01, 2026 - 15:00 vuln.today
CVE Published
May 01, 2026 - 14:15 nvd
HIGH 8.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

HID: core: Mitigate potential OOB by removing bogus memset()

The memset() in hid_report_raw_event() has the good intention of clearing out bogus data by zeroing the area from the end of the incoming data string to the assumed end of the buffer. However, as we have previously seen, doing so can easily result in OOB reads and writes in the subsequent thread of execution.

The current suggestion from one of the HID maintainers is to remove the memset() and simply return if the incoming event buffer size is not large enough to fill the associated report.

Suggested-by Benjamin Tissoires <bentiss@kernel.org>

[bentiss: changed the return value]

AnalysisAI

Adjacent network attackers can achieve high-severity code execution, information disclosure, or denial of service in the Linux kernel HID (Human Interface Device) subsystem by exploiting a bounds-checking flaw in hid_report_raw_event(). A bogus memset() operation intended to zero unused buffer space instead creates out-of-bounds read/write conditions when processing malformed HID input reports from adjacent devices (USB, Bluetooth). Vendor patches available for stable branches 6.18.22, 6.19.12, and 7.0. EPSS score of 0.02% suggests minimal observed exploitation, but the unauthenticated adjacent-network attack vector with low complexity makes this exploitable in environments with untrusted HID peripherals.

Technical ContextAI

The HID subsystem (drivers/hid/hid-core.c) processes input reports from human interface devices like keyboards, mice, and game controllers. The vulnerability exists in hid_report_raw_event(), which previously attempted to sanitize incoming event buffers by calling memset() to zero memory from the end of received data to the expected buffer end. When the incoming buffer size is smaller than the report structure expects, this memset() operation accesses memory beyond allocated bounds. The fix removes the unsafe memset() and adds early return validation to reject undersized buffers before processing. This prevents both out-of-bounds reads during the zeroing operation and subsequent OOB writes when the kernel processes the malformed report structure. The vulnerability affects the core HID infrastructure used across USB-HID, Bluetooth-HID, and other transport layers.

RemediationAI

Upgrade to patched kernel versions: mainline 7.0 or later, stable branch 6.19.12 or later, or LTS branch 6.18.22 or later depending on your distribution's kernel series. Distribution-specific packages should be applied via normal update channels (apt, yum, dnf) rather than compiling upstream kernels directly. For Red Hat/CentOS/Fedora users, monitor RHSA advisories; for Debian/Ubuntu, check USN notices; for SUSE, review SUSE-SU advisories. If immediate patching is not feasible, implement defense-in-depth controls: disable unused HID drivers via kernel module blacklisting (modprobe.d configuration for hid-generic, usbhid if USB HID not required), restrict physical access to USB/Bluetooth ports on critical systems, employ USB device whitelisting via USBGuard or similar tools to block unauthorized HID peripherals, and enable kernel hardening features like CONFIG_FORTIFY_SOURCE and CONFIG_HARDENED_USERCOPY if not already active. Note that disabling HID entirely breaks keyboard/mouse functionality on workstations, making this mitigation viable only for headless servers. Bluetooth-based exploitation can be mitigated by disabling Bluetooth (systemctl disable bluetooth) on systems not requiring wireless peripherals, though this impacts usability. Reference advisory at https://vuldb.com/vuln/360720 for additional context.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-26647 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy