CVE-2026-43051 (GCVE-0-2026-43051)
Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-03 05:46
VLAI?
Title
HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq
The wacom_intuos_bt_irq() function processes Bluetooth HID reports
without sufficient bounds checking. A maliciously crafted short report
can trigger an out-of-bounds read when copying data into the wacom
structure.
Specifically, report 0x03 requires at least 22 bytes to safely read
the processed data and battery status, while report 0x04 (which
falls through to 0x03) requires 32 bytes.
Add explicit length checks for these report IDs and log a warning if
a short report is received.
Severity ?
8.1 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a , < d0ae84b3c9f3ea1a564eb1b7612113ca9fe8aada
(git)
Affected: 78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a , < 5b5b9730111808410e404ceac2fabd32eef92fbd (git) Affected: 78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a , < fa8901cb1f0b2113a342db93bd5684b59fe99dcf (git) Affected: 78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a , < 8bd690ac1242332c73cba10dacdad6c6642bbb94 (git) Affected: 78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a , < 41026bcc0fdf82605205c27935ef719cbc07193b (git) Affected: 78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a , < c8dc23c97680eebefde06da5858aaef1b37cf75d (git) Affected: 78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a , < 3d78386b144453c47e81bf62dc3601b757f02d99 (git) Affected: 78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a , < 2f1763f62909ccb6386ac50350fa0abbf5bb16a9 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/wacom_wac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d0ae84b3c9f3ea1a564eb1b7612113ca9fe8aada",
"status": "affected",
"version": "78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a",
"versionType": "git"
},
{
"lessThan": "5b5b9730111808410e404ceac2fabd32eef92fbd",
"status": "affected",
"version": "78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a",
"versionType": "git"
},
{
"lessThan": "fa8901cb1f0b2113a342db93bd5684b59fe99dcf",
"status": "affected",
"version": "78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a",
"versionType": "git"
},
{
"lessThan": "8bd690ac1242332c73cba10dacdad6c6642bbb94",
"status": "affected",
"version": "78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a",
"versionType": "git"
},
{
"lessThan": "41026bcc0fdf82605205c27935ef719cbc07193b",
"status": "affected",
"version": "78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a",
"versionType": "git"
},
{
"lessThan": "c8dc23c97680eebefde06da5858aaef1b37cf75d",
"status": "affected",
"version": "78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a",
"versionType": "git"
},
{
"lessThan": "3d78386b144453c47e81bf62dc3601b757f02d99",
"status": "affected",
"version": "78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a",
"versionType": "git"
},
{
"lessThan": "2f1763f62909ccb6386ac50350fa0abbf5bb16a9",
"status": "affected",
"version": "78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/wacom_wac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.3"
},
{
"lessThan": "3.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq\n\nThe wacom_intuos_bt_irq() function processes Bluetooth HID reports\nwithout sufficient bounds checking. A maliciously crafted short report\ncan trigger an out-of-bounds read when copying data into the wacom\nstructure.\n\nSpecifically, report 0x03 requires at least 22 bytes to safely read\nthe processed data and battery status, while report 0x04 (which\nfalls through to 0x03) requires 32 bytes.\n\nAdd explicit length checks for these report IDs and log a warning if\na short report is received."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-03T05:46:24.515Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d0ae84b3c9f3ea1a564eb1b7612113ca9fe8aada"
},
{
"url": "https://git.kernel.org/stable/c/5b5b9730111808410e404ceac2fabd32eef92fbd"
},
{
"url": "https://git.kernel.org/stable/c/fa8901cb1f0b2113a342db93bd5684b59fe99dcf"
},
{
"url": "https://git.kernel.org/stable/c/8bd690ac1242332c73cba10dacdad6c6642bbb94"
},
{
"url": "https://git.kernel.org/stable/c/41026bcc0fdf82605205c27935ef719cbc07193b"
},
{
"url": "https://git.kernel.org/stable/c/c8dc23c97680eebefde06da5858aaef1b37cf75d"
},
{
"url": "https://git.kernel.org/stable/c/3d78386b144453c47e81bf62dc3601b757f02d99"
},
{
"url": "https://git.kernel.org/stable/c/2f1763f62909ccb6386ac50350fa0abbf5bb16a9"
}
],
"title": "HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43051",
"datePublished": "2026-05-01T14:15:45.314Z",
"dateReserved": "2026-05-01T14:12:55.980Z",
"dateUpdated": "2026-05-03T05:46:24.515Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-43051",
"date": "2026-05-04",
"epss": "0.00023",
"percentile": "0.06494"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-43051\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-01T15:16:51.543\",\"lastModified\":\"2026-05-03T07:16:24.173\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nHID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq\\n\\nThe wacom_intuos_bt_irq() function processes Bluetooth HID reports\\nwithout sufficient bounds checking. A maliciously crafted short report\\ncan trigger an out-of-bounds read when copying data into the wacom\\nstructure.\\n\\nSpecifically, report 0x03 requires at least 22 bytes to safely read\\nthe processed data and battery status, while report 0x04 (which\\nfalls through to 0x03) requires 32 bytes.\\n\\nAdd explicit length checks for these report IDs and log a warning if\\na short report is received.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}]},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/2f1763f62909ccb6386ac50350fa0abbf5bb16a9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/3d78386b144453c47e81bf62dc3601b757f02d99\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/41026bcc0fdf82605205c27935ef719cbc07193b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5b5b9730111808410e404ceac2fabd32eef92fbd\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/8bd690ac1242332c73cba10dacdad6c6642bbb94\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c8dc23c97680eebefde06da5858aaef1b37cf75d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d0ae84b3c9f3ea1a564eb1b7612113ca9fe8aada\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/fa8901cb1f0b2113a342db93bd5684b59fe99dcf\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…