Description
In the Linux kernel, the following vulnerability has been resolved:

HID: hid-pl: handle probe errors

Errors in init must be reported back or we'll
follow a NULL pointer the first time FF is used.
Published: 2026-05-06
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel HID plug‑and‑play module fails to report probe errors correctly, resulting in a NULL pointer dereference when force‑feedback (FF) functionality is first used. This bug can cause the system to crash or panic, interrupting all services and potentially requiring a reboot. The crash does not expose sensitive data or allow arbitrary code execution.

Affected Systems

Vulnerable systems are Linux kernels that include the HID‑PL subsystem before the fix. The exact affected releases are not listed, but any kernel version not containing the commit that resolves the probe error is at risk. Administrators should review the release notes of upcoming kernel versions for the addressed change.

Risk and Exploitability

Based on the description, it is inferred that the likely attack vector is a user or attacker who can use force‑feedback capabilities on a connected HID device, such as a game controller or joystick. In such an environment, triggering the force‑feedback action would cause the kernel to follow a NULL pointer during the first use, leading to a crash. The EPSS score of < 1% indicates a very low probability of exploitation, and the lack of inclusion in CISA KEV suggests no known public exploits. The potential for a kernel panic suggests high impact if the flaw is triggered. The exploitability depends on the attacker’s ability to interact with a HID device that exercises force‑feedback. The CVSS score of 5.5 indicates moderate severity.

Generated by OpenCVE AI on May 13, 2026 at 22:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a release that includes the HID plug‑and‑play probe error fix (commit 04e50f45b5175bb90a06f5003113cb4ed6ba44c2 or later).
  • Reboot the system to load the updated kernel and activate the fixed module.
  • After reboot, test force‑feedback on a connected HID device to confirm that no crashes or kernel panics occur, and review system logs for any abnormal messages.

Generated by OpenCVE AI on May 13, 2026 at 22:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4606-1 linux security update
History

Wed, 13 May 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo

Thu, 07 May 2026 04:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Thu, 07 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-824
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 06 May 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: HID: hid-pl: handle probe errors Errors in init must be reported back or we'll follow a NULL pointer the first time FF is used.
Title HID: hid-pl: handle probe errors
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:18:46.106Z

Reserved: 2026-05-01T14:12:55.989Z

Link: CVE-2026-43152

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T12:16:32.943

Modified: 2026-05-13T20:12:10.063

Link: CVE-2026-43152

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43152 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T23:00:11Z

Weaknesses