CVE-2026-43048 Overview
CVE-2026-43048 is an out-of-bounds (OOB) read vulnerability in the Linux kernel's Human Interface Device (HID) core subsystem. The flaw resides in the hid_report_raw_event() function, where a memset() call intended to zero out bogus data could trigger OOB reads and writes in subsequent execution paths. The issue affects Linux kernel versions ranging from 2.6.15 through 7.0-rc4, indicating a long-lived defect in the HID input handling path. The vulnerability is tracked under [CWE-125] (Out-of-Bounds Read) and is exploitable from an adjacent network position through HID-capable transports such as Bluetooth.
Critical Impact
An attacker on an adjacent network can deliver a malformed HID report to trigger out-of-bounds memory access in the Linux kernel, leading to kernel memory disclosure, corruption, or denial of service.
Affected Products
- Linux Kernel (mainline) up to and including 7.0-rc4
- Linux Kernel 2.6.15 (including rc6 and rc7 pre-releases)
- Linux Kernel 7.0 release candidates rc1 through rc4
Discovery Timeline
- 2026-05-01 - CVE-2026-43048 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-43048
Vulnerability Analysis
The vulnerability resides in the hid_report_raw_event() function within the Linux kernel HID core. The function processes raw HID reports received from input devices over transports including USB, Bluetooth, and I2C-HID. To defensively clear unexpected trailing bytes, the function previously called memset() to zero out the region from the end of the incoming data to the assumed end of the report buffer.
When the incoming event buffer is smaller than the report size derived from the HID descriptor, the memset() operation crosses buffer boundaries. This produces an out-of-bounds write into adjacent kernel memory and enables subsequent OOB reads when the cleared region is consumed by HID parsing logic.
The maintainer fix removes the memset() entirely. The function now returns early when the incoming event buffer size is insufficient to populate the associated report, eliminating the unsafe boundary assumption.
Root Cause
The root cause is an incorrect assumption about buffer size invariants. The memset() was added with defensive intent but operated on a buffer whose actual length could be smaller than the HID-descriptor-defined report length. Trusting the descriptor-defined length over the runtime buffer length produces classic OOB memory access patterns.
Attack Vector
Exploitation requires the ability to deliver crafted HID reports to a vulnerable Linux host. This is reachable from adjacent network positions, most notably through Bluetooth HID profiles where a paired or proximate attacker can transmit malformed report payloads. Successful exploitation can corrupt kernel memory, leak kernel data, or panic the kernel.
No public proof-of-concept exploit has been published, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2026-43048
Indicators of Compromise
- Kernel log entries referencing hid_report_raw_event faults, KASAN out-of-bounds splats, or general protection faults originating from HID subsystem call stacks
- Unexpected kernel panics or oopses correlated with Bluetooth or USB HID device connections
- New or unrecognized HID devices pairing with hosts shortly before kernel instability
Detection Strategies
- Enable Kernel Address Sanitizer (KASAN) on test and pre-production kernels to catch OOB reads and writes in the HID path
- Monitor dmesg and journalctl -k output for HID-related stack traces and call chains containing hid_input_report or hid_report_raw_event
- Track installed kernel package versions across the fleet against the patched commits referenced in the kernel.org advisories
Monitoring Recommendations
- Inventory Bluetooth-enabled Linux endpoints and servers, prioritizing those exposed in shared physical environments
- Alert on Bluetooth pairing events from unmanaged or unknown devices through endpoint telemetry
- Aggregate kernel crash dumps and HID-subsystem warnings into a centralized log platform for retrospective analysis
How to Mitigate CVE-2026-43048
Immediate Actions Required
- Identify all Linux systems running affected kernel versions and prioritize patching of mobile, laptop, and IoT systems with active Bluetooth or HID interfaces
- Apply the upstream kernel fix or the distribution-provided update referencing commits 0a3fe97, 8f71034, or bd6e1d0
- Disable Bluetooth on systems where it is not operationally required to reduce adjacent-network exposure
Patch Information
The fix removes the unsafe memset() and adds an early return when the incoming HID event buffer is smaller than the associated report size. The patch is committed upstream and is available through the following kernel.org references: Kernel Git Commit 0a3fe97, Kernel Git Commit 8f71034, and Kernel Git Commit bd6e1d0. Linux distribution vendors backport these commits into supported stable kernel branches.
Workarounds
- Disable the Bluetooth stack using systemctl disable --now bluetooth on systems that do not require wireless HID peripherals
- Restrict USB HID device attachment via udev rules or USB device control policies on sensitive endpoints
- Unload the hid and bluetooth kernel modules where feasible, and blacklist them through /etc/modprobe.d/ configuration files until the patched kernel is deployed
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
