CVE-2026-23178
Published: Feb 14, 2026
Modified: May 11, 2026
CVSS v3.1
7.8
Description
In the Linux kernel, the following vulnerability has been resolved: HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report() `i2c_hid_xfer` is used to read `recv_len + sizeof(__le16)` bytes of data into `ihid->rawbuf`. The former can come from the userspace in the hidraw driver and is only bounded by HID_MAX_BUFFER_SIZE(16384) by default (unless we also set `max_buffer_size` field of `struct hid_ll_driver` which we do not). The latter has size determined at runtime by the maximum size of different report types you could receive on any particular device and can be a much smaller value. Fix this by truncating `recv_len` to `ihid->bufsize - sizeof(__le16)`. The impact is low since access to hidraw devices requires root.
| Vendor | Product | Versions |
|---|---|---|
Linux | Linux | affected 85df713377ddc0482071c3e6b64c37bd1e48f1f1 - < f9c9ad89d845f88a1509e9d672f65d234425fde9affected 85df713377ddc0482071c3e6b64c37bd1e48f1f1 - < cff3f619fd1cb40cdd89971df9001f075613d219affected 85df713377ddc0482071c3e6b64c37bd1e48f1f1 - < 786ec171788bdf9dda38789163f1b1fbb47f2d1eaffected 85df713377ddc0482071c3e6b64c37bd1e48f1f1 - < 2124279f1f8c32c1646ce98e75a1a39b23b7db76affected 85df713377ddc0482071c3e6b64c37bd1e48f1f1 - < 2497ff38c530b1af0df5130ca9f5ab22c5e92f29 |
Linux | Linux | affected 5.18unaffected 0 - < 5.18unaffected 6.1.163 - <= 6.1.*unaffected 6.6.124 - <= 6.6.*unaffected 6.12.70 - <= 6.12.*+2 more versions |
CVSS v3.1 Details
CVSS v3.1 Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now