CVE-2026-43051 (GCVE-0-2026-43051)
Vulnerability from cvelistv5
Published
2026-05-01 14:15
Modified
2026-05-03 05:46
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq
The wacom_intuos_bt_irq() function processes Bluetooth HID reports
without sufficient bounds checking. A maliciously crafted short report
can trigger an out-of-bounds read when copying data into the wacom
structure.
Specifically, report 0x03 requires at least 22 bytes to safely read
the processed data and battery status, while report 0x04 (which
falls through to 0x03) requires 32 bytes.
Add explicit length checks for these report IDs and log a warning if
a short report is received.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a Version: 78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a Version: 78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a Version: 78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a Version: 78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a Version: 78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a Version: 78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a Version: 78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/hid/wacom_wac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "d0ae84b3c9f3ea1a564eb1b7612113ca9fe8aada",
"status": "affected",
"version": "78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a",
"versionType": "git"
},
{
"lessThan": "5b5b9730111808410e404ceac2fabd32eef92fbd",
"status": "affected",
"version": "78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a",
"versionType": "git"
},
{
"lessThan": "fa8901cb1f0b2113a342db93bd5684b59fe99dcf",
"status": "affected",
"version": "78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a",
"versionType": "git"
},
{
"lessThan": "8bd690ac1242332c73cba10dacdad6c6642bbb94",
"status": "affected",
"version": "78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a",
"versionType": "git"
},
{
"lessThan": "41026bcc0fdf82605205c27935ef719cbc07193b",
"status": "affected",
"version": "78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a",
"versionType": "git"
},
{
"lessThan": "c8dc23c97680eebefde06da5858aaef1b37cf75d",
"status": "affected",
"version": "78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a",
"versionType": "git"
},
{
"lessThan": "3d78386b144453c47e81bf62dc3601b757f02d99",
"status": "affected",
"version": "78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a",
"versionType": "git"
},
{
"lessThan": "2f1763f62909ccb6386ac50350fa0abbf5bb16a9",
"status": "affected",
"version": "78761ff9bc4e944e0b4e5df1e7eedcfdbb1a9a1a",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/hid/wacom_wac.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.3"
},
{
"lessThan": "3.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.253",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.203",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.168",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.134",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.81",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.22",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.12",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.253",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.203",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.168",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.134",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.81",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.22",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.12",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0",
"versionStartIncluding": "3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq\n\nThe wacom_intuos_bt_irq() function processes Bluetooth HID reports\nwithout sufficient bounds checking. A maliciously crafted short report\ncan trigger an out-of-bounds read when copying data into the wacom\nstructure.\n\nSpecifically, report 0x03 requires at least 22 bytes to safely read\nthe processed data and battery status, while report 0x04 (which\nfalls through to 0x03) requires 32 bytes.\n\nAdd explicit length checks for these report IDs and log a warning if\na short report is received."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-03T05:46:24.515Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/d0ae84b3c9f3ea1a564eb1b7612113ca9fe8aada"
},
{
"url": "https://git.kernel.org/stable/c/5b5b9730111808410e404ceac2fabd32eef92fbd"
},
{
"url": "https://git.kernel.org/stable/c/fa8901cb1f0b2113a342db93bd5684b59fe99dcf"
},
{
"url": "https://git.kernel.org/stable/c/8bd690ac1242332c73cba10dacdad6c6642bbb94"
},
{
"url": "https://git.kernel.org/stable/c/41026bcc0fdf82605205c27935ef719cbc07193b"
},
{
"url": "https://git.kernel.org/stable/c/c8dc23c97680eebefde06da5858aaef1b37cf75d"
},
{
"url": "https://git.kernel.org/stable/c/3d78386b144453c47e81bf62dc3601b757f02d99"
},
{
"url": "https://git.kernel.org/stable/c/2f1763f62909ccb6386ac50350fa0abbf5bb16a9"
}
],
"title": "HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-43051",
"datePublished": "2026-05-01T14:15:45.314Z",
"dateReserved": "2026-05-01T14:12:55.980Z",
"dateUpdated": "2026-05-03T05:46:24.515Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…