Improper input validation in Linux kernel - CVE-2026-43251
Published: May 7, 2026
Vulnerability identifier: #VU130469
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-43251
CWE-ID: CWE-20
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows an attacker with physical access to cause a denial of service.
The vulnerability exists due to improper input validation in the prodikeys HID driver when processing a forged USB report descriptor from a fake device. An attacker with physical access can connect a crafted USB device to trigger a kernel crash and cause a denial of service.
The issue occurs because the input_mapping() hook may not be called, leaving pm->input_ep82 unset.
How to mitigate CVE-2026-43251
Install security update from vendor's repository.
Sources
- https://git.kernel.org/stable/c/3f1b21cc67a15d7d081378a9b8747dd000a017b8
- https://git.kernel.org/stable/c/cee8337e1bad168136aecfe6416ecd7d3aa7529a
- https://git.kernel.org/stable/c/d08f35f843881ec504d7537a9bb728a073db3366
- https://git.kernel.org/stable/c/d5512ce892f774d37c53082adadfcad04f21b50e
- https://git.kernel.org/stable/c/e7ac1cd823cd2e9fcbd5cb0b261d6d35dbb79341
- https://git.kernel.org/stable/c/edccbf7d6dc05d692bde3a89de5a4001f72a0fa4
- https://git.kernel.org/stable/c/ee572578f09f0e743e9383393a75c3a7a0f9b4c2
- https://git.kernel.org/stable/c/f580c79683356632f12f2c2029f2fe936d953aa1