Description
In the Linux kernel, the following vulnerability has been resolved:

HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq

The wacom_intuos_bt_irq() function processes Bluetooth HID reports
without sufficient bounds checking. A maliciously crafted short report
can trigger an out-of-bounds read when copying data into the wacom
structure.

Specifically, report 0x03 requires at least 22 bytes to safely read
the processed data and battery status, while report 0x04 (which
falls through to 0x03) requires 32 bytes.

Add explicit length checks for these report IDs and log a warning if
a short report is received.
Published: 2026-05-01
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel driver for Wacom tablets contains an out‑of‑bounds read in the wacom_intuos_bt_irq() routine. The routine copies Bluetooth HID reports into an internal structure without checking that the report is large enough. An attacker who can send a maliciously short report (identifiers 0x03 or 0x04) can trigger this over‑read, exposing the kernel to data leakage or crashes. This weakness is best classified as an out‑of‑bounds read (CWE‑125, CWE‑788).

Affected Systems

Affected systems include any Linux kernel that includes the default Wacom HID driver without the bounds‑check fix. The CVE does not list specific kernel versions, but the fix appears in commits referenced in the CVE references; distributions shipping kernels prior to those commits are potentially vulnerable.

Risk and Exploitability

The CVSS score is 8.1 and the EPSS score is < 1%, indicating a very low but non-zero exploitation probability. The bug requires an attacker to send crafted Bluetooth HID reports to the tablet, which may be feasible for anyone who can pair with or control the device. While the vulnerability does not provide a reliable privilege escalation path, it can cause denial of service or information disclosure. The issue is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on May 3, 2026 at 07:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to the latest version that incorporates the wacom_intuos_bt_irq() bounds‑check fix.
  • If a kernel update cannot be applied immediately, disable or remove the Bluetooth HID functionality for the Wacom tablet (e.g., unplug the device or block the corresponding kernel module).
  • Ensure that only trusted devices can pair with the tablet by enforcing strict Bluetooth pairing policies when the device remains connected.

Generated by OpenCVE AI on May 3, 2026 at 07:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DLA Debian DLA DLA-4606-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Thu, 07 May 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*

Sun, 03 May 2026 06:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Fri, 01 May 2026 23:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-788

Fri, 01 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq The wacom_intuos_bt_irq() function processes Bluetooth HID reports without sufficient bounds checking. A maliciously crafted short report can trigger an out-of-bounds read when copying data into the wacom structure. Specifically, report 0x03 requires at least 22 bytes to safely read the processed data and battery status, while report 0x04 (which falls through to 0x03) requires 32 bytes. Add explicit length checks for these report IDs and log a warning if a short report is received.
Title HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:16:45.927Z

Reserved: 2026-05-01T14:12:55.980Z

Link: CVE-2026-43051

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-01T15:16:51.543

Modified: 2026-05-07T18:00:03.043

Link: CVE-2026-43051

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-43051 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-03T07:45:16Z

Weaknesses