Description
In the Linux kernel, the following vulnerability has been resolved:

HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()

`i2c_hid_xfer` is used to read `recv_len + sizeof(__le16)` bytes of data
into `ihid->rawbuf`.

The former can come from the userspace in the hidraw driver and is only
bounded by HID_MAX_BUFFER_SIZE(16384) by default (unless we also set
`max_buffer_size` field of `struct hid_ll_driver` which we do not).

The latter has size determined at runtime by the maximum size of
different report types you could receive on any particular device and
can be a much smaller value.

Fix this by truncating `recv_len` to `ihid->bufsize - sizeof(__le16)`.

The impact is low since access to hidraw devices requires root.
Published: 2026-02-14
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Kernel buffer overflow via i2c‑hid interface
Action: Apply patch
AI Analysis

Impact

The Linux kernel’s i2c‑hid driver contains a buffer overflow when processing report requests. A user‑space request can cause the kernel to read more data than fits in the destination buffer, leading to an out‑of‑bounds write in kernel memory. This may corrupt kernel data and could trigger a crash, but exploitation would require access to /dev/hidraw, which is restricted to root, so the practical impact is limited.

Affected Systems

All Linux kernel versions that include the unpatched i2c‑hid driver are affected. The vendor is Linux, the product is the Linux kernel. No specific version numbers are listed, so every kernel build before the patch that contains the i2c‑hid subsystem is potentially vulnerable.

Risk and Exploitability

The CVSS score of 7.8 indicates medium‑to‑high severity, yet the EPSS score is less than 1 % and the vulnerability is not in CISA’s KEV catalog, suggesting a low likelihood of exploitation. Because access to /dev/hidraw devices requires root, the attack vector is local and requires privileged execution. The consequence is therefore limited to systems where an attacker already has root or can compromise a privileged process; under typical defense‑in‑depth controls the risk remains low.

Generated by OpenCVE AI on April 17, 2026 at 19:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to the latest release that contains the CVE‑2026‑23178 fix
  • If upgrading is delayed, restrict access to /dev/hidraw* device files to privileged users or enforce mandatory access control policies via SELinux, AppArmor, or similar mechanisms so that only trusted processes can read or write them
  • If the system does not require i2c‑hid functionality, disable the driver by blacklisting it in /etc/modprobe.d or by compiling the kernel without i2c‑hid support

Generated by OpenCVE AI on April 17, 2026 at 19:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4499-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6141-1 linux security update
Debian DSA Debian DSA DSA-6163-1 linux security update
History

Fri, 17 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Fri, 03 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 17 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Sat, 14 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report() `i2c_hid_xfer` is used to read `recv_len + sizeof(__le16)` bytes of data into `ihid->rawbuf`. The former can come from the userspace in the hidraw driver and is only bounded by HID_MAX_BUFFER_SIZE(16384) by default (unless we also set `max_buffer_size` field of `struct hid_ll_driver` which we do not). The latter has size determined at runtime by the maximum size of different report types you could receive on any particular device and can be a much smaller value. Fix this by truncating `recv_len` to `ihid->bufsize - sizeof(__le16)`. The impact is low since access to hidraw devices requires root.
Title HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-03T13:32:18.417Z

Reserved: 2026-01-13T15:37:45.984Z

Link: CVE-2026-23178

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-02-14T17:15:55.537

Modified: 2026-04-15T14:34:27.800

Link: CVE-2026-23178

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-14T00:00:00Z

Links: CVE-2026-23178 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T19:30:15Z

Weaknesses