Description
In the Linux kernel, the following vulnerability has been resolved:

HID: playstation: Clamp num_touch_reports

A device would never lie about the number of touch reports would it?

If it does the loop in dualshock4_parse_report will read off the end of
the touch_reports array, up to about 2 KiB for the maximum number of 256
loop iteraions. The data that is read is emitted via evdev if the
DS4_TOUCH_POINT_INACTIVE bit happens to be set. Protect against this by
clamping the num_touch_reports value provided by the device to the
maximum size of the touch_reports array.
Published: 2026-05-28
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel, the HID PlayStation driver contains a bounds‑check flaw that allows a weaponized controller to supply an out‑of‑range value for the number of touch reports. During parsing, the driver reads beyond the end of the internal touch_reports array, potentially consuming up to 2 KiB of adjacent kernel memory. If the DS4_TOUCH_POINT_INACTIVE bit is set, the incorrectly read data is emitted through the evdev interface, yielding a data leak that can expose sensitive kernel contents. The vulnerability is a classic example of CWE‑805, unchecked bounds verification leading to a read‑of‑memory error.

Affected Systems

The defect resides in the generic Linux kernel HID subsystem and would affect any distribution that ships a kernel version containing the buggy dualshock4_parse_report implementation. No specific patch level or vendor variant is listed, so any kernel not yet updated with the clamping change is potentially affected.

Risk and Exploitability

Based on the description, it is inferred that an attacker must have physical access to a PlayStation controller connected to the host and appropriate permissions to read the corresponding evdev device node. The CVSS score of 8.1 indicates high severity, while the EPSS score of < 1% suggests a low but nonzero probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog, implying no known large‑scale exploitation at the time of publication. The attack could lead to kernel memory disclosure and potentially further compromise if sensitive data is leaked, but it requires local device access and is thus considered a physical or local attack vector.

Generated by OpenCVE AI on June 10, 2026 at 22:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest kernel that includes the patch clamping the num_touch_reports value in dualshock4_parse_report
  • Restrict read access to the evdev device nodes associated with PlayStation controllers by limiting ownership or group permissions so that only trusted users can read the evdev interface
  • If the controller is not required, disable the dualshock4 HID driver by removing its module with modprobe -r or setting appropriate module options

Generated by OpenCVE AI on June 10, 2026 at 22:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:*

Sat, 30 May 2026 13:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-788

Sat, 30 May 2026 11:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-805
References

Thu, 28 May 2026 13:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-788

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: HID: playstation: Clamp num_touch_reports A device would never lie about the number of touch reports would it? If it does the loop in dualshock4_parse_report will read off the end of the touch_reports array, up to about 2 KiB for the maximum number of 256 loop iteraions. The data that is read is emitted via evdev if the DS4_TOUCH_POINT_INACTIVE bit happens to be set. Protect against this by clamping the num_touch_reports value provided by the device to the maximum size of the touch_reports array.
Title HID: playstation: Clamp num_touch_reports
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T18:04:31.851Z

Reserved: 2026-05-13T15:03:33.106Z

Link: CVE-2026-46232

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T10:16:38.840

Modified: 2026-06-10T21:11:53.927

Link: CVE-2026-46232

cve-icon Redhat

Severity :

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46232 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T22:45:27Z

Weaknesses