CVE-2026-43047 Overview
CVE-2026-43047 is a Linux kernel vulnerability in the HID multitouch driver. The flaw allows a malicious or malfunctioning Human Interface Device (HID) to respond to a feature report request with a different report ID than was requested. This mismatch causes confusion in the HID core and can lead to out-of-bounds (OOB) writes in kernel memory. The issue affects local attack surfaces where an attacker can attach or emulate a USB or Bluetooth HID device. Maintainers resolved the issue by adding a validation check that compares the response report ID against the requested ID and aborts processing on mismatch.
Critical Impact
A crafted HID device can trigger out-of-bounds writes in the Linux kernel HID core, enabling memory corruption with potential for privilege escalation.
Affected Products
- Linux kernel HID multitouch subsystem (drivers/hid/hid-multitouch.c)
- Multiple stable Linux kernel branches as referenced in upstream commits
- Systems exposing HID device attachment (USB, Bluetooth, virtualized HID)
Discovery Timeline
- 2026-05-01 - CVE-2026-43047 published to NVD
- 2026-05-03 - Last updated in NVD database
Technical Details for CVE-2026-43047
Vulnerability Analysis
The Linux kernel HID multitouch driver issues feature report requests to attached HID devices to retrieve device-specific data. The driver previously assumed that the responding device would return data tagged with the same report ID that was requested. A malicious device can violate this assumption by responding with an arbitrary report ID. The HID core then processes the mismatched response using sizing and offset assumptions tied to the requested report, producing out-of-bounds writes into kernel memory structures.
The vulnerability requires local access because the attacker needs to attach or emulate an HID device to the target system. Exploitation does not require user interaction once the device is attached. Successful memory corruption in kernel context can compromise confidentiality, integrity, and availability of the host.
Root Cause
The root cause is missing input validation on responses returned from untrusted hardware. The HID multitouch code did not verify that the report ID embedded in a feature response matched the report ID that was solicited. Treating attacker-controlled response data as trusted input violates safe parsing of device protocols.
Attack Vector
An attacker with the ability to connect a USB, Bluetooth, or otherwise emulated HID device to a vulnerable Linux host can deliver crafted feature report responses. Programmable HID hardware such as a Raspberry Pi Pico, Facedancer, or BadUSB-class device can construct the malformed responses. The kernel parses the response in privileged context, producing OOB writes that can be shaped into a kernel exploitation primitive.
No verified public proof-of-concept code is available. Refer to the upstream patch commits for technical details on the affected code paths and the validation logic added by maintainers.
Detection Methods for CVE-2026-43047
Indicators of Compromise
- Unexpected hid-multitouch warnings, oops messages, or KASAN reports in dmesg referencing report parsing
- Kernel panics or memory corruption traces correlated with HID device enumeration events
- Attachment of unfamiliar USB or Bluetooth HID devices to sensitive endpoints, especially programmable microcontroller-class hardware
Detection Strategies
- Monitor kernel logs for HID subsystem errors, particularly around feature report handling and report ID mismatches
- Correlate USB device insertion telemetry (udev, usbguard) with subsequent kernel warnings or process crashes
- Audit running kernel versions across the fleet to identify hosts that have not received the patched HID multitouch code
Monitoring Recommendations
- Forward dmesg and journald kernel logs to a central platform such as Singularity Data Lake for retention and analysis
- Track USB and Bluetooth HID enumeration events on servers, kiosks, and workstations where physical access controls are weak
- Alert on kernel KASAN, slab corruption, or general protection fault messages that name the HID subsystem
How to Mitigate CVE-2026-43047
Immediate Actions Required
- Apply the upstream Linux kernel patches from the referenced git.kernel.org stable commits and reboot affected systems
- Inventory hosts running unpatched kernel versions and prioritize servers, multi-user workstations, and shared kiosks
- Restrict physical access and USB port use on systems handling sensitive data until patches are deployed
Patch Information
The fix adds a check ensuring that the report ID returned by a HID device matches the report ID that was requested. If the IDs do not match, the driver omits raw event reporting and returns early. The patch is distributed across multiple stable branches via commits including 2edc92f89eee, 516da3f25cfe, 6a4acd3e86fe, 74c6015375d8, 7f66fdbc077f, a61163daf8a9, c7a27bb4d0f6, and e716edafedad. See the Linux Kernel Commit Update for the canonical change.
Workarounds
- Deploy USB device control policies using usbguard to block unauthorized HID devices from attaching
- Disable Bluetooth HID profile on systems where it is not required to reduce wireless attack surface
- Enforce physical port lockdown on endpoints in publicly accessible areas pending kernel updates
# Example usbguard policy: allow only known HID devices
sudo apt install usbguard
sudo usbguard generate-policy > /etc/usbguard/rules.conf
sudo systemctl enable --now usbguard
# Review and tighten the generated rules before enabling enforcement
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
