Bug 2464462 (CVE-2026-43051)

Summary: CVE-2026-43051 kernel: HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: rhel-process-autobot, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Linux kernel's Wacom Human Interface Device (HID) driver. This vulnerability allows a remote attacker to trigger an out-of-bounds read by sending a specially crafted, short Bluetooth HID report. This can lead to the disclosure of sensitive information from the system's memory.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-05-01 15:08:11 UTC 
In the Linux kernel, the following vulnerability has been resolved:

HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq

The wacom_intuos_bt_irq() function processes Bluetooth HID reports
without sufficient bounds checking. A maliciously crafted short report
can trigger an out-of-bounds read when copying data into the wacom
structure.

Specifically, report 0x03 requires at least 22 bytes to safely read
the processed data and battery status, while report 0x04 (which
falls through to 0x03) requires 32 bytes.

Add explicit length checks for these report IDs and log a warning if
a short report is received.
Comment 1 Keith Grant 2026-05-01 18:43:18 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026050107-CVE-2026-43051-0d15@gregkh/T