{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23178", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.984Z", "datePublished": "2026-02-14T16:27:10.108Z", "dateUpdated": "2026-05-11T22:01:49.899Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:01:49.899Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()\n\n`i2c_hid_xfer` is used to read `recv_len + sizeof(__le16)` bytes of data\ninto `ihid->rawbuf`.\n\nThe former can come from the userspace in the hidraw driver and is only\nbounded by HID_MAX_BUFFER_SIZE(16384) by default (unless we also set\n`max_buffer_size` field of `struct hid_ll_driver` which we do not).\n\nThe latter has size determined at runtime by the maximum size of\ndifferent report types you could receive on any particular device and\ncan be a much smaller value.\n\nFix this by truncating `recv_len` to `ihid->bufsize - sizeof(__le16)`.\n\nThe impact is low since access to hidraw devices requires root."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/hid/i2c-hid/i2c-hid-core.c"], "versions": [{"version": "85df713377ddc0482071c3e6b64c37bd1e48f1f1", "lessThan": "f9c9ad89d845f88a1509e9d672f65d234425fde9", "status": "affected", "versionType": "git"}, {"version": "85df713377ddc0482071c3e6b64c37bd1e48f1f1", "lessThan": "cff3f619fd1cb40cdd89971df9001f075613d219", "status": "affected", "versionType": "git"}, {"version": "85df713377ddc0482071c3e6b64c37bd1e48f1f1", "lessThan": "786ec171788bdf9dda38789163f1b1fbb47f2d1e", "status": "affected", "versionType": "git"}, {"version": "85df713377ddc0482071c3e6b64c37bd1e48f1f1", "lessThan": "2124279f1f8c32c1646ce98e75a1a39b23b7db76", "status": "affected", "versionType": "git"}, {"version": "85df713377ddc0482071c3e6b64c37bd1e48f1f1", "lessThan": "2497ff38c530b1af0df5130ca9f5ab22c5e92f29", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/hid/i2c-hid/i2c-hid-core.c"], "versions": [{"version": "5.18", "status": "affected"}, {"version": "0", "lessThan": "5.18", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.163", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.124", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.70", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.10", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.1.163"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.6.124"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.12.70"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.18.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/f9c9ad89d845f88a1509e9d672f65d234425fde9"}, {"url": "https://git.kernel.org/stable/c/cff3f619fd1cb40cdd89971df9001f075613d219"}, {"url": "https://git.kernel.org/stable/c/786ec171788bdf9dda38789163f1b1fbb47f2d1e"}, {"url": "https://git.kernel.org/stable/c/2124279f1f8c32c1646ce98e75a1a39b23b7db76"}, {"url": "https://git.kernel.org/stable/c/2497ff38c530b1af0df5130ca9f5ab22c5e92f29"}], "title": "HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()\n\n`i2c_hid_xfer` is used to read `recv_len + sizeof(__le16)` bytes of data\ninto `ihid->rawbuf`.\n\nThe former can come from the userspace in the hidraw driver and is only\nbounded by HID_MAX_BUFFER_SIZE(16384) by default (unless we also set\n`max_buffer_size` field of `struct hid_ll_driver` which we do not).\n\nThe latter has size determined at runtime by the maximum size of\ndifferent report types you could receive on any particular device and\ncan be a much smaller value.\n\nFix this by truncating `recv_len` to `ihid->bufsize - sizeof(__le16)`.\n\nThe impact is low since access to hidraw devices requires root."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nHID: i2c-hid: corrige un potencial desbordamiento de b\u00fafer en i2c_hid_get_report()\n\n'i2c_hid_xfer' se utiliza para leer 'recv_len + sizeof(__le16)' bytes de datos en 'ihid->rawbuf'.\n\nEl primero puede provenir del espacio de usuario en el controlador hidraw y est\u00e1 limitado \u00fanicamente por HID_MAX_BUFFER_SIZE(16384) por defecto (a menos que tambi\u00e9n configuremos el campo 'max_buffer_size' de 'struct hid_ll_driver', lo cual no hacemos).\n\nEl segundo tiene un tama\u00f1o determinado en tiempo de ejecuci\u00f3n por el tama\u00f1o m\u00e1ximo de los diferentes tipos de informes que se podr\u00edan recibir en cualquier dispositivo particular y puede ser un valor mucho menor.\n\nEsto se soluciona truncando 'recv_len' a 'ihid->bufsize - sizeof(__le16)'.\n\nEl impacto es bajo ya que el acceso a los dispositivos hidraw requiere root."}], "id": "CVE-2026-23178", "lastModified": "2026-04-15T14:34:27.800", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-02-14T17:15:55.537", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2124279f1f8c32c1646ce98e75a1a39b23b7db76"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2497ff38c530b1af0df5130ca9f5ab22c5e92f29"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/786ec171788bdf9dda38789163f1b1fbb47f2d1e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/cff3f619fd1cb40cdd89971df9001f075613d219"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f9c9ad89d845f88a1509e9d672f65d234425fde9"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Deferred"}

{"bugzilla": {"description": "kernel: HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()", "id": "2439914", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2439914"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nHID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()\n`i2c_hid_xfer` is used to read `recv_len + sizeof(__le16)` bytes of data\ninto `ihid->rawbuf`.\nThe former can come from the userspace in the hidraw driver and is only\nbounded by HID_MAX_BUFFER_SIZE(16384) by default (unless we also set\n`max_buffer_size` field of `struct hid_ll_driver` which we do not).\nThe latter has size determined at runtime by the maximum size of\ndifferent report types you could receive on any particular device and\ncan be a much smaller value.\nFix this by truncating `recv_len` to `ihid->bufsize - sizeof(__le16)`.\nThe impact is low since access to hidraw devices requires root."], "name": "CVE-2026-23178", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23178\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23178\nhttps://lore.kernel.org/linux-cve-announce/2026021428-CVE-2026-23178-ffd4@gregkh/T"], "statement": "As noted in the patch, access to hidraw devices requires root privileges (or specific device permissions). The practical impact is limited since an attacker would already need elevated access to exploit this vulnerability. The overflow could potentially be used for local privilege escalation but the attack surface is constrained.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,f9c9ad89d845f88a1509e9d672f65d234425fde9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,cff3f619fd1cb40cdd89971df9001f075613d219)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,786ec171788bdf9dda38789163f1b1fbb47f2d1e)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,2124279f1f8c32c1646ce98e75a1a39b23b7db76)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,2497ff38c530b1af0df5130ca9f5ab22c5e92f29)"}}], "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.163,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.124,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.70,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.10,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.19,*]"}}], "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-17T19:28:29.981458+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to the latest release that contains the CVE\u20112026\u201123178 fix", "If upgrading is delayed, restrict access to /dev/hidraw* device files to privileged users or enforce mandatory access control policies via SELinux, AppArmor, or similar mechanisms so that only trusted processes can read or write them", "If the system does not require i2c\u2011hid functionality, disable the driver by blacklisting it in /etc/modprobe.d or by compiling the kernel without i2c\u2011hid support"], "summary": {"action": "Apply patch", "impact": "Kernel buffer overflow via i2c\u2011hid interface"}, "threat_synthesis": {"affected_systems": "All Linux kernel versions that include the unpatched i2c\u2011hid driver are affected. The vendor is Linux, the product is the Linux kernel. No specific version numbers are listed, so every kernel build before the patch that contains the i2c\u2011hid subsystem is potentially vulnerable.", "description_and_impact": "The Linux kernel\u2019s i2c\u2011hid driver contains a buffer overflow when processing report requests. A user\u2011space request can cause the kernel to read more data than fits in the destination buffer, leading to an out\u2011of\u2011bounds write in kernel memory. This may corrupt kernel data and could trigger a crash, but exploitation would require access to /dev/hidraw, which is restricted to root, so the practical impact is limited.", "risk_and_exploitability": "The CVSS score of 7.8 indicates medium\u2011to\u2011high severity, yet the EPSS score is less than 1\u202f% and the vulnerability is not in CISA\u2019s KEV catalog, suggesting a low likelihood of exploitation. Because access to /dev/hidraw devices requires root, the attack vector is local and requires privileged execution. The consequence is therefore limited to systems where an attacker already has root or can compromise a privileged process; under typical defense\u2011in\u2011depth controls the risk remains low."}}}}, "created": "2026-02-16T09:43:59.538264+00:00", "updated": "2026-04-17T19:30:15.649114+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-119"]}