CVE-2026-43051
Out-of-Bounds Read in Linux Kernel Wacom Driver
Publication date: 2026-05-01
Last updated on: 2026-05-03
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wacom | wacom_intuos_bt_irq | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's handling of Bluetooth HID reports for Wacom Intuos devices. Specifically, the function wacom_intuos_bt_irq processes Bluetooth HID reports without proper bounds checking. If a maliciously crafted short report is sent, it can cause an out-of-bounds read when copying data into the wacom structure.
The issue arises because certain report types (0x03 and 0x04) require a minimum number of bytes (22 and 32 respectively) to be safely processed. Without explicit length checks, shorter reports can trigger unsafe memory reads.
How can this vulnerability impact me? :
This vulnerability can lead to an out-of-bounds read in kernel memory when processing Bluetooth HID reports from Wacom Intuos devices. Such out-of-bounds reads may cause system instability, crashes, or potentially expose sensitive kernel memory contents.
An attacker who can send crafted Bluetooth HID reports to a vulnerable device could exploit this flaw to disrupt normal device operation or gain information about kernel memory, which might be leveraged for further attacks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an out-of-bounds read in the wacom_intuos_bt_irq function of the Linux kernel when processing Bluetooth HID reports. Detection would involve monitoring for warnings or logs indicating receipt of short reports with insufficient length for report IDs 0x03 and 0x04.
Specifically, since the fix adds explicit length checks and logs warnings if a short report is received, checking system logs for such warnings can help detect attempts to exploit this vulnerability.
Commands to detect this might include reviewing kernel logs with commands like:
- dmesg | grep -i wacom
- journalctl -k | grep -i wacom
- grep -i 'short report' /var/log/syslog
Additionally, monitoring Bluetooth HID traffic for unusually short reports with IDs 0x03 or 0x04 could be done with specialized Bluetooth packet capture tools, but no specific commands are provided in the context.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability has been resolved by adding explicit length checks in the wacom_intuos_bt_irq function of the Linux kernel. Immediate mitigation steps include updating the Linux kernel to a version that contains this fix.
Until the kernel is updated, limiting exposure by disabling Bluetooth HID devices or restricting Bluetooth access to trusted devices may reduce risk.
Monitoring system logs for warnings about short reports can also help detect potential exploitation attempts.