Bug 2464486 (CVE-2026-43049) - CVE-2026-43049 kernel: HID: logitech-hidpp: Prevent use-after-free on force feedback initialisation failure
Summary: CVE-2026-43049 kernel: HID: logitech-hidpp: Prevent use-after-free on force f...
Keywords:
Status: NEW
Alias: CVE-2026-43049
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-01 15:09 UTC by OSIDB Bzimport
Modified: 2026-05-01 18:37 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-01 15:09:29 UTC 
In the Linux kernel, the following vulnerability has been resolved:

HID: logitech-hidpp: Prevent use-after-free on force feedback initialisation failure

Presently, if the force feedback initialisation fails when probing the
Logitech G920 Driving Force Racing Wheel for Xbox One, an error number
will be returned and propagated before the userspace infrastructure
(sysfs and /dev/input) has been torn down.  If userspace ignores the
errors and continues to use its references to these dangling entities, a
UAF will promptly follow.

We have 2 options; continue to return the error, but ensure that all of
the infrastructure is torn down accordingly or continue to treat this
condition as a warning by emitting the message but returning success.
It is thought that the original author's intention was to emit the
warning but keep the device functional, less the force feedback feature,
so let's go with that.
Comment 1 Keith Grant 2026-05-01 18:35:19 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026050106-CVE-2026-43049-224e@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.