2439914 – (CVE-2026-23178) CVE-2026-23178 kernel: HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()

Bug 2439914 (CVE-2026-23178) - CVE-2026-23178 kernel: HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()

Summary: CVE-2026-23178 kernel: HID: i2c-hid: fix potential buffer overflow in i2c_hid...

Keywords:
Status:	NEW
Alias:	CVE-2026-23178
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-02-14 17:02 UTC by OSIDB Bzimport
Modified:	2026-02-16 22:11 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-02-14 17:02:50 UTC

In the Linux kernel, the following vulnerability has been resolved:

HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()

`i2c_hid_xfer` is used to read `recv_len + sizeof(__le16)` bytes of data
into `ihid->rawbuf`.

The former can come from the userspace in the hidraw driver and is only
bounded by HID_MAX_BUFFER_SIZE(16384) by default (unless we also set
`max_buffer_size` field of `struct hid_ll_driver` which we do not).

The latter has size determined at runtime by the maximum size of
different report types you could receive on any particular device and
can be a much smaller value.

Fix this by truncating `recv_len` to `ihid->bufsize - sizeof(__le16)`.

The impact is low since access to hidraw devices requires root.

Comment 1 Alexander B 2026-02-16 18:03:53 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026021428-CVE-2026-23178-ffd4@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.