Описание
In the Linux kernel, the following vulnerability has been resolved:
HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq
The wacom_intuos_bt_irq() function processes Bluetooth HID reports
without sufficient bounds checking. A maliciously crafted short report
can trigger an out-of-bounds read when copying data into the wacom
structure.
Specifically, report 0x03 requires at least 22 bytes to safely read
the processed data and battery status, while report 0x04 (which
falls through to 0x03) requires 32 bytes.
Add explicit length checks for these report IDs and log a warning if
a short report is received.
A flaw was found in the Linux kernel's Wacom Human Interface Device (HID) driver. This vulnerability allows a remote attacker to trigger an out-of-bounds read by sending a specially crafted, short Bluetooth HID report. This can lead to the disclosure of sensitive information from the system's memory.
Отчет
A Bluetooth HID report parsing bug in the Wacom driver can cause an out of bounds read in wacom_intuos_bt_irq. Report 0x03 needs at least 22 bytes and report 0x04 needs 32 bytes because it falls through into the 0x03 handling path, but the old code processed shorter reports without validating these lengths. A malicious or compromised Bluetooth HID device can send a crafted short report and make the kernel read past the received report buffer while updating Wacom input or battery state. For the CVSS the PR:N is used in the paranoid score because the attacker only needs Bluetooth device control and does not need a local account on the victim. The issue is adjacent network reachable over Bluetooth rather than Internet reachable.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | kernel | Not affected | ||
| Red Hat Enterprise Linux 7 | kernel | Affected | ||
| Red Hat Enterprise Linux 7 | kernel-rt | Affected | ||
| Red Hat Enterprise Linux 9 | kernel-rt | Affected | ||
| Red Hat Enterprise Linux 10 | kernel | Fixed | RHSA-2026:21557 | 28.05.2026 |
| Red Hat Enterprise Linux 8 | kernel-rt | Fixed | RHSA-2026:21745 | 28.05.2026 |
| Red Hat Enterprise Linux 8 | kernel | Fixed | RHSA-2026:21706 | 28.05.2026 |
| Red Hat Enterprise Linux 9 | kernel | Fixed | RHSA-2026:21556 | 28.05.2026 |
| Red Hat Enterprise Linux 9 | kernel | Fixed | RHSA-2026:21556 | 28.05.2026 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.1 High
CVSS3
Связанные уязвимости
In the Linux kernel, the following vulnerability has been resolved: HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq The wacom_intuos_bt_irq() function processes Bluetooth HID reports without sufficient bounds checking. A maliciously crafted short report can trigger an out-of-bounds read when copying data into the wacom structure. Specifically, report 0x03 requires at least 22 bytes to safely read the processed data and battery status, while report 0x04 (which falls through to 0x03) requires 32 bytes. Add explicit length checks for these report IDs and log a warning if a short report is received.
In the Linux kernel, the following vulnerability has been resolved: HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq The wacom_intuos_bt_irq() function processes Bluetooth HID reports without sufficient bounds checking. A maliciously crafted short report can trigger an out-of-bounds read when copying data into the wacom structure. Specifically, report 0x03 requires at least 22 bytes to safely read the processed data and battery status, while report 0x04 (which falls through to 0x03) requires 32 bytes. Add explicit length checks for these report IDs and log a warning if a short report is received.
In the Linux kernel, the following vulnerability has been resolved: H ...
In the Linux kernel, the following vulnerability has been resolved: HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq The wacom_intuos_bt_irq() function processes Bluetooth HID reports without sufficient bounds checking. A maliciously crafted short report can trigger an out-of-bounds read when copying data into the wacom structure. Specifically, report 0x03 requires at least 22 bytes to safely read the processed data and battery status, while report 0x04 (which falls through to 0x03) requires 32 bytes. Add explicit length checks for these report IDs and log a warning if a short report is received.
EPSS
7.1 High
CVSS3