CVE-2026-23178
Unknown Unknown - Not Provided
Buffer Overflow in Linux i2c-hid Driver with Low Impact

Publication date: 2026-02-14

Last updated on: 2026-04-03

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report() `i2c_hid_xfer` is used to read `recv_len + sizeof(__le16)` bytes of data into `ihid->rawbuf`. The former can come from the userspace in the hidraw driver and is only bounded by HID_MAX_BUFFER_SIZE(16384) by default (unless we also set `max_buffer_size` field of `struct hid_ll_driver` which we do not). The latter has size determined at runtime by the maximum size of different report types you could receive on any particular device and can be a much smaller value. Fix this by truncating `recv_len` to `ihid->bufsize - sizeof(__le16)`. The impact is low since access to hidraw devices requires root.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-14
Last Modified
2026-04-03
Generated
2026-06-16
AI Q&A
2026-02-14
EPSS Evaluated
2026-06-14
NVD
CVE-2026-23178
EUVD
EUVD-2026-6112
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a potential buffer overflow in the Linux kernel's i2c-hid driver, specifically in the function i2c_hid_get_report().

The issue arises because the function i2c_hid_xfer reads a number of bytes based on recv_len plus the size of a 16-bit value into a buffer called rawbuf. The recv_len value can come from userspace via the hidraw driver and is only limited by a large maximum buffer size (16384 bytes) by default.

However, the actual buffer size for the device (bufsize) can be smaller, which means that reading recv_len + sizeof(__le16) bytes can overflow the buffer if recv_len is not properly limited.

The fix involves truncating recv_len to ensure it does not exceed the buffer size minus the size of the 16-bit value, preventing the overflow.

Impact Analysis

The impact of this vulnerability is considered low because access to hidraw devices, which can trigger this issue, requires root privileges.

If exploited, a buffer overflow could potentially lead to memory corruption, which might be used to execute arbitrary code or cause a denial of service, but only by users with root access.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

This vulnerability affects the Linux kernel's i2c-hid driver and requires root access to exploit via hidraw devices.

Immediate mitigation steps include ensuring your Linux kernel is updated to a version that includes the fix for this issue, which truncates the recv_len to prevent buffer overflow.

Additionally, restrict access to hidraw devices to trusted users only, as exploitation requires root privileges.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23178. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart