CVE-2026-23382 Overview
CVE-2026-23382 is a NULL pointer dereference vulnerability in the Linux kernel's Human Interface Device (HID) subsystem. The vulnerability exists in multiple HID driver raw_event callback functions that fail to verify the HID_CLAIMED_INPUT status before processing events. When a malformed or broken HID device is connected to the system, raw event callbacks can be triggered even for devices that have not been properly "claimed," potentially resulting in a kernel crash.
This vulnerability was identified during code review and follows the same pattern that was previously addressed in commit 2ff5baa9b527 for the appleir driver. The fix applies consistent HID_CLAIMED_INPUT guards across all affected in-tree HID drivers to prevent NULL pointer dereferences.
Critical Impact
A physically connected malicious or broken HID device could trigger a kernel panic, causing system instability or denial of service.
Affected Products
- Linux Kernel HID Subsystem (multiple drivers)
- Systems accepting USB or Bluetooth HID devices
- Linux distributions using affected kernel versions
Discovery Timeline
- 2026-03-25 - CVE CVE-2026-23382 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-23382
Vulnerability Analysis
The vulnerability originates from inconsistent input validation in multiple HID drivers within the Linux kernel. The HID subsystem processes input events from human interface devices such as keyboards, mice, and specialized controllers. When a HID device is connected, it goes through a claiming process where the kernel validates and prepares the device for input handling.
The affected drivers implement raw_event callback functions that process raw HID report data. These callbacks were executing without first checking whether the device had been successfully claimed via the HID_CLAIMED_INPUT flag. If a malformed device triggers raw events before or without proper claiming, the callback functions attempt to access uninitialized or NULL input device structures, leading to a kernel panic.
The issue affects multiple in-tree HID drivers that were developed before the protective pattern was established with commit 2ff5baa9b527 in the appleir driver. Each affected driver required individual patching to add the missing HID_CLAIMED_INPUT guard checks.
Root Cause
The root cause is missing input validation in HID driver raw_event callback functions. The callbacks fail to verify the HID_CLAIMED_INPUT status flag before dereferencing input device pointers. When the HID device is not properly claimed, these pointers may be NULL or pointing to uninitialized memory, resulting in a NULL pointer dereference when accessed.
Attack Vector
An attacker with physical access to the target system could exploit this vulnerability by connecting a specially crafted or broken HID device. The attack vector requires:
- Physical access to USB ports or Bluetooth connectivity
- A malicious HID device that triggers raw events without completing the claiming process
- The target system running a vulnerable kernel version
The attack results in a kernel panic, causing immediate system crash and denial of service. While remote exploitation is not possible, the vulnerability could be leveraged in scenarios requiring local denial of service or as part of a multi-stage attack requiring system disruption.
The kernel patches add consistent guard checks at the beginning of each affected raw_event callback function. The pattern follows the fix established for the appleir driver, checking if the device has the HID_CLAIMED_INPUT flag set before proceeding with event processing. If the flag is not set, the callback returns early without accessing the input device structures.
Detection Methods for CVE-2026-23382
Indicators of Compromise
- Kernel panic messages referencing HID driver NULL pointer dereference
- System crash logs indicating HID subsystem failures during device connection
- Unusual USB or Bluetooth HID device connection events preceding system instability
- Kernel oops messages with call traces involving HID raw_event functions
Detection Strategies
- Monitor kernel logs (dmesg, /var/log/kern.log) for NULL pointer dereference errors in HID drivers
- Configure kernel crash dump collection to capture evidence of exploitation attempts
- Implement USB device monitoring to track unexpected HID device connections
- Deploy endpoint detection solutions capable of monitoring kernel-level events
Monitoring Recommendations
- Enable kernel crash dump collection via kdump or similar mechanisms
- Configure centralized logging for kernel messages across endpoints
- Monitor for unusual patterns of HID device connections, especially on servers
- Implement USB device whitelisting where operational requirements permit
How to Mitigate CVE-2026-23382
Immediate Actions Required
- Update the Linux kernel to a patched version containing the HID_CLAIMED_INPUT guard fixes
- Review kernel version against the provided patch commits to determine vulnerability status
- Consider temporarily disabling USB ports on critical systems if updates cannot be immediately applied
- Implement physical access controls to limit unauthorized device connections
Patch Information
The vulnerability has been resolved through multiple kernel commits that add HID_CLAIMED_INPUT guards to affected drivers. The following patch commits address this vulnerability:
- Kernel Git Commit 20864e3
- Kernel Git Commit 575122c
- Kernel Git Commit 6e33088
- Kernel Git Commit 892dbaf
- Kernel Git Commit ac83b0d
- Kernel Git Commit ecfa6f3
Organizations should apply kernel updates from their distribution vendor that incorporate these fixes.
Workarounds
- Restrict physical access to system USB and Bluetooth interfaces
- Implement USB device authorization policies to prevent unauthorized HID devices from connecting
- Disable unused USB ports at the BIOS/UEFI level on sensitive systems
- Use USBGuard or similar tools to enforce HID device whitelisting
# Example: Install and configure USBGuard to restrict HID devices
# Install USBGuard
sudo apt install usbguard
# Generate initial policy based on currently connected devices
sudo usbguard generate-policy > /etc/usbguard/rules.conf
# Enable and start USBGuard service
sudo systemctl enable usbguard
sudo systemctl start usbguard
# Block all new HID devices by default (adjust policy as needed)
# View current policy
sudo usbguard list-rules
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
