CVE-2026-43049
Awaiting Analysis Awaiting Analysis - Queue
Use-After-Free in Linux Kernel HID Logitech Driver

Publication date: 2026-05-01

Last updated on: 2026-05-01

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: HID: logitech-hidpp: Prevent use-after-free on force feedback initialisation failure Presently, if the force feedback initialisation fails when probing the Logitech G920 Driving Force Racing Wheel for Xbox One, an error number will be returned and propagated before the userspace infrastructure (sysfs and /dev/input) has been torn down. If userspace ignores the errors and continues to use its references to these dangling entities, a UAF will promptly follow. We have 2 options; continue to return the error, but ensure that all of the infrastructure is torn down accordingly or continue to treat this condition as a warning by emitting the message but returning success. It is thought that the original author's intention was to emit the warning but keep the device functional, less the force feedback feature, so let's go with that.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-01
Generated
2026-05-07
AI Q&A
2026-05-01
EPSS Evaluated
2026-05-05
NVD
CVE-2026-43049
EUVD
EUVD-2026-26648
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
logitech logitech_hidpp *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :

If exploited, this use-after-free vulnerability could cause instability or crashes in the userspace processes interacting with the Logitech G920 device. It may lead to unexpected behavior or denial of service when the userspace continues to use invalid references after the force feedback initialization failure.

While the description does not specify further impacts such as privilege escalation or data corruption, use-after-free bugs generally pose risks of memory corruption which could potentially be leveraged for more severe exploits depending on the context.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability involves a use-after-free condition in the Logitech G920 Driving Force Racing Wheel's force feedback initialization in the Linux kernel. To mitigate this, ensure that your Linux kernel is updated to a version where this issue is resolved, which handles the force feedback initialization failure by either properly tearing down the infrastructure or treating the condition as a warning while keeping the device functional without force feedback.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information about CVE-2026-43049 does not include any details regarding its impact on compliance with common standards and regulations such as GDPR or HIPAA.


Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's handling of the Logitech G920 Driving Force Racing Wheel for Xbox One. When the force feedback initialization fails during device probing, an error is returned before the userspace infrastructure (such as sysfs and /dev/input) is properly torn down. If userspace ignores this error and continues to use references to these now invalid or dangling entities, a use-after-free (UAF) condition occurs.

The issue arises because the device's force feedback feature initialization failure leads to inconsistent cleanup, causing userspace to potentially access freed memory or resources.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart