CVE-2026-43051 Overview
CVE-2026-43051 is an out-of-bounds read vulnerability in the Linux kernel's Wacom Human Interface Device (HID) driver. The flaw resides in the wacom_intuos_bt_irq() function, which processes Bluetooth HID reports from Wacom Intuos tablets without sufficient bounds checking. A maliciously crafted short HID report can trigger an out-of-bounds read when the driver copies data into the wacom structure. Report ID 0x03 requires at least 22 bytes for safe processing, while report 0x04 falls through to 0x03 and requires 32 bytes. The vulnerability is tracked under [CWE-125] (Out-of-bounds Read) and affects Linux kernel versions including the 7.0 release candidates.
Critical Impact
An attacker within Bluetooth range can send crafted short HID reports to trigger kernel memory disclosure or denial of service on systems with paired Wacom Intuos devices.
Affected Products
- Linux Kernel (multiple stable branches)
- Linux Kernel 7.0-rc1 through 7.0-rc4
- Systems using the hid-wacom driver with Bluetooth-paired Wacom Intuos tablets
Discovery Timeline
- 2026-05-01 - CVE-2026-43051 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-43051
Vulnerability Analysis
The wacom_intuos_bt_irq() function in the Linux kernel's hid-wacom driver handles incoming Bluetooth HID interrupt reports from Wacom Intuos devices. The function dispatches processing based on the report ID byte but does not validate that the report buffer contains enough bytes for the subsequent field accesses.
For report ID 0x03, the handler reads processed pen data and battery status fields that require a minimum buffer length of 22 bytes. Report ID 0x04 falls through to the same handling logic but requires 32 bytes due to additional fields. When a short report is delivered, the driver reads past the end of the allocated report buffer.
The out-of-bounds read can leak adjacent kernel memory contents into driver state or trigger a kernel oops depending on memory layout. The fix introduces explicit length checks for these report IDs and logs a warning when a short report is received.
Root Cause
The root cause is missing input validation on attacker-controlled HID report length. The driver trusts that any report tagged with ID 0x03 or 0x04 contains the full expected payload. The Bluetooth HID transport allows peers to send arbitrarily sized reports, so a paired or spoofed device can deliver truncated frames that bypass the implicit length assumption in the parser.
Attack Vector
Exploitation requires adjacent network access via Bluetooth to a target system with a paired Wacom Intuos tablet or to a system willing to pair with a hostile peer. No authentication or user interaction is required once the device is associated. The attacker sends a malformed short HID input report carrying report ID 0x03 or 0x04. The kernel's wacom_intuos_bt_irq() handler processes the report and reads beyond the supplied buffer, producing information disclosure of kernel memory or a kernel crash that results in denial of service.
No public proof-of-concept code is available. Technical details of the corrective patches are documented in the upstream stable tree commits referenced by the kernel maintainers.
Detection Methods for CVE-2026-43051
Indicators of Compromise
- Kernel log entries containing warnings about short Wacom HID reports after applying the patch, indicating attempted exploitation or malformed device traffic.
- Unexpected kernel oops or stack traces referencing wacom_intuos_bt_irq in dmesg or /var/log/kern.log.
- Bluetooth pairing events with unfamiliar devices identifying themselves as Wacom Intuos peripherals.
Detection Strategies
- Monitor kernel ring buffer output for warnings emitted by the patched hid-wacom driver when short reports are received.
- Inventory endpoints running vulnerable kernel versions and correlate with Bluetooth HID device usage to scope exposure.
- Use eBPF tracing on the wacom_intuos_bt_irq symbol to record report sizes and source device addresses for forensic review.
Monitoring Recommendations
- Forward kernel logs to a centralized analytics platform and alert on wacom driver warnings or oops events.
- Track installed kernel package versions across the fleet and flag hosts that have not received the upstream stable backport.
- Audit Bluetooth pairing records on Linux endpoints to detect unauthorized HID device associations.
How to Mitigate CVE-2026-43051
Immediate Actions Required
- Apply the latest stable kernel update from your Linux distribution that incorporates the upstream hid-wacom length-check patches.
- Unpair untrusted Bluetooth Wacom devices and disable Bluetooth on systems that do not require it.
- Restrict physical and radio-range access to systems with paired Wacom tablets while patches are pending.
Patch Information
The Linux kernel maintainers fixed the issue by adding explicit length checks for report IDs 0x03 and 0x04 in wacom_intuos_bt_irq() and logging a warning when a short report is received. Backports are available across multiple stable branches. See the upstream commits: Kernel commit 2f1763f6, Kernel commit 3d78386b, Kernel commit 41026bcc, Kernel commit 5b5b9730, Kernel commit 8bd690ac, Kernel commit c8dc23c9, Kernel commit d0ae84b3, and Kernel commit fa8901cb.
Workarounds
- Blacklist the hid-wacom (or wacom) kernel module on systems that do not require Wacom tablet support.
- Disable the Bluetooth stack via systemctl disable --now bluetooth on hosts where wireless HID peripherals are not needed.
- Limit Bluetooth pairing to known device addresses and require administrator approval for new HID associations.
# Configuration example: blacklist the wacom module and disable Bluetooth
echo "blacklist wacom" | sudo tee /etc/modprobe.d/blacklist-wacom.conf
sudo modprobe -r wacom
sudo systemctl disable --now bluetooth.service
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
