Improper input validation in Linux kernel - CVE-2026-43136
Published: May 7, 2026
Vulnerability identifier: #VU130610
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-43136
CWE-ID: CWE-20
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows an attacker with physical access to cause a denial of service.
The vulnerability exists due to improper input validation in hidpp_get_report_length() when parsing HID report descriptors from a USB device. An attacker with physical access can connect a fake USB gadget with a crafted report descriptor to cause a denial of service.
The issue is triggered when a report defines no valid fields.
How to mitigate CVE-2026-43136
Install security update from vendor's repository.
Sources
- https://git.kernel.org/stable/c/1547d41f9f19d691c2c9ce4c29f746297baef9e9
- https://git.kernel.org/stable/c/1acb28123e57b50d737377f400f57eec889fe5e4
- https://git.kernel.org/stable/c/2dc023dbc11b8dfa8afa63242762acd8cddcad03
- https://git.kernel.org/stable/c/7f59999fcd699af06ad2aef446a635ea6aa87db3
- https://git.kernel.org/stable/c/ae81fac9ce81917817d787e6b74e68482d99bdf2
- https://git.kernel.org/stable/c/b74bf7d0d01fa9b53653f58c29aa00772121f6e9
- https://git.kernel.org/stable/c/f1ceaaf93ea32d0f2b95c95f784ee155962c52ad
- https://git.kernel.org/stable/c/fb1725c0804dbec9dd01c4cb5c9f1f77a69e36dc