FKIE_CVE-2026-23178

Vulnerability from fkie_nvd - Published: 2026-02-14 17:15 - Updated: 2026-02-18 17:52
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report() `i2c_hid_xfer` is used to read `recv_len + sizeof(__le16)` bytes of data into `ihid->rawbuf`. The former can come from the userspace in the hidraw driver and is only bounded by HID_MAX_BUFFER_SIZE(16384) by default (unless we also set `max_buffer_size` field of `struct hid_ll_driver` which we do not). The latter has size determined at runtime by the maximum size of different report types you could receive on any particular device and can be a much smaller value. Fix this by truncating `recv_len` to `ihid->bufsize - sizeof(__le16)`. The impact is low since access to hidraw devices requires root.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/2124279f1f8c32c1646ce98e75a1a39b23b7db76
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/2497ff38c530b1af0df5130ca9f5ab22c5e92f29
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/786ec171788bdf9dda38789163f1b1fbb47f2d1e
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/cff3f619fd1cb40cdd89971df9001f075613d219
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/f9c9ad89d845f88a1509e9d672f65d234425fde9
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()\n\n`i2c_hid_xfer` is used to read `recv_len + sizeof(__le16)` bytes of data\ninto `ihid-\u003erawbuf`.\n\nThe former can come from the userspace in the hidraw driver and is only\nbounded by HID_MAX_BUFFER_SIZE(16384) by default (unless we also set\n`max_buffer_size` field of `struct hid_ll_driver` which we do not).\n\nThe latter has size determined at runtime by the maximum size of\ndifferent report types you could receive on any particular device and\ncan be a much smaller value.\n\nFix this by truncating `recv_len` to `ihid-\u003ebufsize - sizeof(__le16)`.\n\nThe impact is low since access to hidraw devices requires root."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nHID: i2c-hid: corrige un potencial desbordamiento de b\u00fafer en i2c_hid_get_report()\n\n\u0027i2c_hid_xfer\u0027 se utiliza para leer \u0027recv_len + sizeof(__le16)\u0027 bytes de datos en \u0027ihid-\u0026gt;rawbuf\u0027.\n\nEl primero puede provenir del espacio de usuario en el controlador hidraw y est\u00e1 limitado \u00fanicamente por HID_MAX_BUFFER_SIZE(16384) por defecto (a menos que tambi\u00e9n configuremos el campo \u0027max_buffer_size\u0027 de \u0027struct hid_ll_driver\u0027, lo cual no hacemos).\n\nEl segundo tiene un tama\u00f1o determinado en tiempo de ejecuci\u00f3n por el tama\u00f1o m\u00e1ximo de los diferentes tipos de informes que se podr\u00edan recibir en cualquier dispositivo particular y puede ser un valor mucho menor.\n\nEsto se soluciona truncando \u0027recv_len\u0027 a \u0027ihid-\u0026gt;bufsize - sizeof(__le16)\u0027.\n\nEl impacto es bajo ya que el acceso a los dispositivos hidraw requiere root."
    }
  ],
  "id": "CVE-2026-23178",
  "lastModified": "2026-02-18T17:52:22.253",
  "metrics": {},
  "published": "2026-02-14T17:15:55.537",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/2124279f1f8c32c1646ce98e75a1a39b23b7db76"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/2497ff38c530b1af0df5130ca9f5ab22c5e92f29"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/786ec171788bdf9dda38789163f1b1fbb47f2d1e"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/cff3f619fd1cb40cdd89971df9001f075613d219"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/f9c9ad89d845f88a1509e9d672f65d234425fde9"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.