Description
In the Linux kernel, the following vulnerability has been resolved:

HID: prodikeys: Check presence of pm->input_ep82

Fake USB devices can send their own report descriptors for which the
input_mapping() hook does not get called. In this case, pm->input_ep82 stays
NULL, which leads to a crash later.

This does not happen with the real device, but can be provoked by imposing as
one.
Published: 2026-05-06
Score: 7.0 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the Linux kernel's HID prodikeys driver, where counterfeit USB devices can provide custom report descriptors that bypass the input_mapping() hook. Consequently, the pm->input_ep82 pointer remains NULL and is later dereferenced, resulting in a kernel crash. This flaw represents a null pointer dereference and lack of validation on USB descriptors and is coded as CWE-476.

Affected Systems

All Linux kernel installations that include the prodikeys HID driver before the recent fix are affected. Vendor and version details are not explicitly listed, but the commits in the references show the issue was patched during 2026. Administrators should verify the presence of the commit(s) or apply a kernel version that contains the fix.

Risk and Exploitability

The CVSS score is 7.0 and EPSS is unavailable, but the flaw can be triggered by any user who can supply a malicious USB device, making it a local denial-of-service vulnerability. The KEV indicator is not listed, indicating no confirmed exploitation yet. The attack vector is physical or local access to the USB interface, with impact limited to crashing the system.

Generated by OpenCVE AI on May 7, 2026 at 03:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to a kernel version that includes the prodikeys NULL pointer dereference fix (see the commit IDs in the provided references).
  • If a kernel update is not immediately available, blacklist or unload the prodikeys HID driver or otherwise block access to USB HID prodikeys devices to prevent the crash from occurring.
  • Use a user‑space USB filtering tool such as usbguard to block counterfeit prodikeys USB devices from attaching to the system.

Generated by OpenCVE AI on May 7, 2026 at 03:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 06 May 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: HID: prodikeys: Check presence of pm->input_ep82 Fake USB devices can send their own report descriptors for which the input_mapping() hook does not get called. In this case, pm->input_ep82 stays NULL, which leads to a crash later. This does not happen with the real device, but can be provoked by imposing as one.
Title HID: prodikeys: Check presence of pm->input_ep82
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-06T11:28:41.835Z

Reserved: 2026-05-01T14:12:55.996Z

Link: CVE-2026-43251

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:45.740

Modified: 2026-05-06T13:07:51.607

Link: CVE-2026-43251

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43251 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T03:30:20Z

Weaknesses