CVE-2026-43251 Overview
CVE-2026-43251 is a Linux kernel vulnerability in the HID: prodikeys driver. A fake or malicious USB device can present a crafted HID report descriptor that prevents the driver's input_mapping() hook from executing. Without that hook, the pm->input_ep82 pointer remains NULL, and a later dereference triggers a kernel crash. The flaw cannot be triggered by the legitimate Prodikeys device but is reachable by any attacker able to attach or emulate a USB device that impersonates one. The Linux kernel maintainers have merged a fix that adds a presence check on pm->input_ep82 before use.
Critical Impact
A crafted USB device impersonating a Prodikeys keyboard can crash the Linux kernel through a null pointer dereference, resulting in denial of service.
Affected Products
- Linux kernel HID: prodikeys driver (drivers/hid/hid-prodikeys.c)
- Linux distributions shipping the affected hid-prodikeys module
- Systems exposing USB ports to untrusted devices or virtualized USB passthrough
Discovery Timeline
- 2026-05-06 - CVE-2026-43251 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43251
Vulnerability Analysis
The hid-prodikeys driver supports the Creative Prodikeys PC-MIDI USB keyboard. During probe, the driver expects HID core to invoke its input_mapping() callback for each report field, and that callback is responsible for assigning the input_ep82 input device pointer used to deliver MIDI key events. If a USB device presents a custom report descriptor that does not contain fields the driver maps, input_mapping() is never called and pm->input_ep82 remains NULL. A subsequent code path that delivers events through pm->input_ep82 dereferences the null pointer and crashes the kernel.
This is a classic case [CWE-476] of trusting that initialization will be performed by a callback path that an attacker controls. Because USB report descriptors are device-supplied data, a hostile peripheral can choose what callbacks fire.
Root Cause
The driver assumes input_mapping() will always run and initialize pm->input_ep82 before any event-handling path executes. The assumption holds for the genuine hardware but does not hold when an attacker supplies a synthetic report descriptor. The merged fix introduces an explicit presence check on pm->input_ep82 and aborts the affected code path safely when the pointer is NULL.
Attack Vector
Exploitation requires the attacker to attach a USB device that identifies itself with the Prodikeys USB vendor and product ID but supplies an alternative report descriptor. This can be achieved with programmable USB hardware such as a Raspberry Pi Pico, Facedancer, or a virtualized USB device passed into a guest. Once the kernel binds the hid-prodikeys driver and the malicious descriptor is processed, the null dereference is reached and the kernel panics. The result is denial of service against any host that auto-binds USB HID devices.
No verified public exploit code is available. See the upstream commits referenced in the kernel.org stable tree for the fix details.
Detection Methods for CVE-2026-43251
Indicators of Compromise
- Unexpected kernel oops or panic messages referencing hid-prodikeys or pcmidi_handle_report in dmesg or /var/log/kern.log.
- USB enumeration events for Creative Prodikeys vendor or product IDs on hosts that should not have such hardware attached.
- Repeated USB connect and disconnect cycles followed by kernel instability.
Detection Strategies
- Monitor kernel ring buffer output for null pointer dereference traces originating in drivers/hid/hid-prodikeys.c.
- Correlate udev add events with subsequent kernel faults to identify USB-induced crashes.
- Audit loaded kernel modules and flag systems where hid-prodikeys is loaded but no genuine MIDI keyboard is expected.
Monitoring Recommendations
- Forward auditd USB device events and kernel logs to a centralized SIEM for correlation across endpoints.
- Alert on USB devices presenting HID descriptors that bind to obscure drivers such as hid-prodikeys on servers and kiosks.
- Track kernel crash telemetry from EDR or systemd-coredump to surface repeated crashes tied to HID drivers.
How to Mitigate CVE-2026-43251
Immediate Actions Required
- Apply the upstream Linux kernel patch series and rebuild or update to a stable kernel containing the fix.
- Where patching is delayed, blacklist the hid-prodikeys module on systems that do not require Prodikeys MIDI keyboard support.
- Restrict physical and virtual USB access on production servers, kiosks, and shared workstations.
Patch Information
The fix is distributed across the stable Linux kernel branches in commits 3f1b21cc, cee8337e, d08f35f8, d5512ce8, e7ac1cd8, edccbf7d, ee572578, and f580c796. The change adds a presence check on pm->input_ep82 before dereference. Update via your distribution's kernel package manager once vendor builds incorporating these commits are released.
Workarounds
- Blacklist the affected module by adding blacklist hid-prodikeys to a file under /etc/modprobe.d/ and regenerate the initramfs.
- Use USBGuard or equivalent policy controls to deny unknown USB devices on sensitive endpoints.
- Disable USB ports through firmware or hardware controls on servers and embedded systems that do not need peripheral input.
# Blacklist the vulnerable driver until the patched kernel is deployed
echo "blacklist hid-prodikeys" | sudo tee /etc/modprobe.d/blacklist-hid-prodikeys.conf
sudo update-initramfs -u
sudo reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
