CVE-2026-46232 Overview
CVE-2026-46232 is an out-of-bounds read vulnerability in the Linux kernel HID PlayStation driver. The flaw resides in the dualshock4_parse_report function, which processes touch reports from DualShock 4 controllers. The driver trusts the num_touch_reports value supplied by the device without bounds checking. A malicious or malformed device can declare up to 256 touch reports, causing the parser to read approximately 2 KiB past the end of the touch_reports array. The leaked data is then emitted via evdev when the DS4_TOUCH_POINT_INACTIVE bit is set, exposing adjacent kernel memory to userspace.
Critical Impact
A crafted USB or Bluetooth HID device impersonating a DualShock 4 controller can leak up to 2 KiB of adjacent kernel memory to userspace through evdev events.
Affected Products
- Linux kernel versions containing the HID playstation driver prior to the fixed commits
- Systems with the hid-playstation module loaded and DualShock 4 controller support enabled
- Stable kernel branches addressed by commits 0bc4cf1a, 208f6d5b, 78126947, 9c031b24, and cac61b58
Discovery Timeline
- 2026-05-28 - CVE-2026-46232 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-46232
Vulnerability Analysis
The vulnerability stems from missing input validation in the HID PlayStation driver's touch report handling logic. The dualshock4_parse_report function iterates over touch report entries based on the num_touch_reports field provided by the connected device. Because the driver does not clamp this value against the actual size of the touch_reports array, a device reporting a large count drives the loop past valid memory.
With a maximum of 256 loop iterations, the parser reads approximately 2 KiB of adjacent kernel heap or stack memory. The driver subsequently forwards portions of this data to userspace through evdev input events whenever the DS4_TOUCH_POINT_INACTIVE bit happens to be set in the out-of-bounds data. This creates a kernel-to-userspace information disclosure primitive classified as Out-of-Bounds Read.
Root Cause
The root cause is unconditional trust in device-supplied metadata. The driver assumes the controller reports a count consistent with the protocol specification. No sanity check enforces that num_touch_reports fits within the fixed-size touch_reports array. The fix clamps num_touch_reports to the maximum array size before the parsing loop executes.
Attack Vector
Exploitation requires a malicious HID device or a compromised peripheral that can present itself as a DualShock 4 controller. This includes physical USB devices, Bluetooth peripherals, or virtualized HID devices. The attacker crafts a report descriptor that declares a num_touch_reports value exceeding the array bounds. Once the device connects and emits a touch report, the kernel reads out-of-bounds memory and exposes it to any userspace process subscribed to the corresponding evdev node.
No verified public exploitation code is available. Technical details of the fix are documented in the upstream kernel commits.
Detection Methods for CVE-2026-46232
Indicators of Compromise
- Unexpected HID devices presenting DualShock 4 vendor and product identifiers from unknown sources
- Kernel log entries from the hid-playstation driver coinciding with anomalous input event traffic
- Userspace processes reading evdev nodes that they do not normally interact with
Detection Strategies
- Audit loaded kernel modules and verify whether hid-playstation is present on systems that do not require it
- Monitor udev events and dmesg output for HID device enumeration matching DualShock 4 identifiers on servers or workstations where such devices are not expected
- Compare running kernel versions against the fixed commits referenced in the upstream stable tree
Monitoring Recommendations
- Enable USB device authorization policies to log and gate new HID peripherals
- Track Bluetooth pairing events for HID-class devices in enterprise endpoint telemetry
- Alert on kernel module load events for hid-playstation outside of approved gaming or testing endpoints
How to Mitigate CVE-2026-46232
Immediate Actions Required
- Apply the upstream kernel patches referenced in the stable tree commits as soon as distribution updates are available
- Restrict physical and Bluetooth access to endpoints handling sensitive workloads to prevent malicious HID device attachment
- Blacklist the hid-playstation module on systems that do not require DualShock controller support
Patch Information
The fix clamps num_touch_reports to the size of the touch_reports array before the parsing loop. The patch is available in upstream Linux stable kernels via the following commits: Kernel Git Commit 0bc4cf1a, Kernel Git Commit 208f6d5b, Kernel Git Commit 78126947, Kernel Git Commit 9c031b24, and Kernel Git Commit cac61b58.
Workarounds
- Unload the driver with modprobe -r hid_playstation and prevent reload via a modprobe blacklist entry on systems that do not require PlayStation controller functionality
- Enforce USB authorization policies via /sys/bus/usb/devices/*/authorized to block untrusted HID peripherals
- Disable Bluetooth HID profile acceptance on servers and high-value endpoints
# Blacklist the hid-playstation module to prevent loading
echo "blacklist hid_playstation" | sudo tee /etc/modprobe.d/blacklist-hid-playstation.conf
sudo modprobe -r hid_playstation
# Verify the module is no longer loaded
lsmod | grep hid_playstation
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
