Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-05-01T00:00:00 kernel: HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq 7.1 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H CWE-125

In the Linux kernel, the following vulnerability has been resolved: HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq The wacom_intuos_bt_irq() function processes Bluetooth HID reports without sufficient bounds checking. A maliciously crafted short report can trigger an out-of-bounds read when copying data into the wacom structure. Specifically, report 0x03 requires at least 22 bytes to safely read the processed data and battery status, while report 0x04 (which falls through to 0x03) requires 32 bytes. Add explicit length checks for these report IDs and log a warning if a short report is received.

A flaw was found in the Linux kernel's Wacom Human Interface Device (HID) driver. This vulnerability allows a remote attacker to trigger an out-of-bounds read by sending a specially crafted, short Bluetooth HID report. This can lead to the disclosure of sensitive information from the system's memory.

A Bluetooth HID report parsing bug in the Wacom driver can cause an out of bounds read in wacom_intuos_bt_irq. Report 0x03 needs at least 22 bytes and report 0x04 needs 32 bytes because it falls through into the 0x03 handling path, but the old code processed shorter reports without validating these lengths. A malicious or compromised Bluetooth HID device can send a crafted short report and make the kernel read past the received report buffer while updating Wacom input or battery state. For the CVSS the PR:N is used in the paranoid score because the attacker only needs Bluetooth device control and does not need a local account on the victim. The issue is adjacent network reachable over Bluetooth rather than Internet reachable. Red Hat Enterprise Linux 10 2026-05-28T00:00:00Z RHSA-2026:21557 kernel-0:6.12.0-211.18.1.el10_2 Red Hat Enterprise Linux 9 2026-05-28T00:00:00Z RHSA-2026:21556 kernel-0:5.14.0-687.12.1.el9_8 Red Hat Enterprise Linux 9 2026-05-28T00:00:00Z RHSA-2026:21556 kernel-0:5.14.0-687.12.1.el9_8 Red Hat Enterprise Linux 6 Not affected kernel Red Hat Enterprise Linux 7 Affected kernel Red Hat Enterprise Linux 7 Affected kernel-rt Red Hat Enterprise Linux 8 Affected kernel Red Hat Enterprise Linux 8 Affected kernel-rt Red Hat Enterprise Linux 9 Affected kernel-rt https://www.cve.org/CVERecord?id=CVE-2026-43051 https://nvd.nist.gov/vuln/detail/CVE-2026-43051 https://lore.kernel.org/linux-cve-announce/2026050107-CVE-2026-43051-0d15@gregkh/T