CVE-2026-43047
HID Multitouch Report ID Mismatch Vulnerability
Publication date: 2026-05-01
Last updated on: 2026-05-03
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's HID multitouch component. It occurs because a malicious or faulty device can respond to a specific feature report request with a completely different report ID than the one requested.
This mismatch can confuse the HID core, potentially leading to harmful side effects such as out-of-bounds (OOB) memory writes.
The fix involves adding a check to ensure that the report ID in the response matches the requested report ID. If they do not match, the raw event is not reported and the process returns early.
How can this vulnerability impact me? :
This vulnerability can lead to out-of-bounds memory writes within the Linux kernel's HID subsystem.
Such memory corruption can cause system instability, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges.
Therefore, if exploited, it could compromise the security and reliability of systems running vulnerable Linux kernels.