{
  "threat_severity" : "Moderate",
  "public_date" : "2026-05-01T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: HID: logitech-hidpp: Prevent use-after-free on force feedback initialisation failure",
    "id" : "2464486",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2464486"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-825",
  "details" : [ "A flaw was found in the Linux kernel's logitech-hidpp driver. When the force feedback initialization fails for the Logitech G920 Driving Force Racing Wheel, the driver returns an error before properly tearing down userspace infrastructure. This can lead to a use-after-free (UAF) vulnerability if userspace applications continue to access these deallocated resources. A successful exploitation of a UAF flaw could potentially result in a denial of service or arbitrary code execution." ],
  "statement" : "Logitech HID++ force-feedback init failure could leave a UAF; upstream orders teardown safely. Red Hat recommends updates; unload `hid_logitech_hidpp` where those devices are absent.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-43049\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-43049\nhttps://lore.kernel.org/linux-cve-announce/2026050106-CVE-2026-43049-224e@gregkh/T" ],
  "name" : "CVE-2026-43049",
  "mitigation" : {
    "value" : "To mitigate this issue, prevent the hid_logitech_hidpp module from being loaded. See https://access.redhat.com/solutions/41278 for instructions.",
    "lang" : "en:us"
  },
  "csaw" : false
}