CVE-2026-23178
Description
In the Linux kernel, the following vulnerability has been resolved:
HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()
i2c_hid_xfer is used to read recv_len + sizeof(__le16) bytes of data into ihid->rawbuf.
The former can come from the userspace in the hidraw driver and is only bounded by HID_MAX_BUFFER_SIZE(16384) by default (unless we also set max_buffer_size field of struct hid_ll_driver which we do not).
The latter has size determined at runtime by the maximum size of different report types you could receive on any particular device and can be a much smaller value.
Fix this by truncating recv_len to ihid->bufsize - sizeof(__le16).
The impact is low since access to hidraw devices requires root.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2026-23178 describes a buffer overflow in the Linux HID i2c-hid driver due to insufficient bounds checking on user-supplied report lengths.
Vulnerability
Details
CVE-2026-23178 is a buffer overflow vulnerability in the Linux kernel's HID subsystem, specifically in the i2c_hid_get_report() function of the i2c-hid driver. The function uses i2c_hid_xfer to read recv_len + sizeof(__le16) bytes of data into a fixed-size buffer (ihid->rawbuf). The recv_len value originates from userspace via the hidraw driver and is only bounded by the default HID_MAX_BUFFER_SIZE (16384 bytes) unless a driver sets a specific max_buffer_size, which the i2c-hid driver does not. However, ihid->bufsize is determined at runtime based on the maximum report size of the device, which can be much smaller than 16384 bytes.
Exploitation
An attacker with root access to a hidraw device can supply a recv_len value larger than ihid->bufsize - sizeof(__le16), causing a heap-based buffer overflow when i2c_hid_xfer writes data into rawbuf. The vulnerability is exploitable only by users with CAP_SYS_ADMIN (typically root) and requires access to a HID device. No user interaction is needed beyond the attacker possessing the necessary privileges.
Impact
Successful exploitation can corrupt kernel heap memory, potentially leading to a denial of service (system crash or hang) or, with further memory manipulation, privilege escalation. However, the official description notes that access to hidraw devices requires root, reducing the practical impact.
Mitigation
The fix, introduced in two stable kernel commits [1][2], truncates recv_len to ihid->bufsize - sizeof(__le16) before the transfer, preventing the overflow. Users should apply the latest stable kernel updates containing this patch. No CVSS v3 vector string is provided, but the High severity (7.8) indicates significant risk if exploitation conditions are met.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- git.kernel.org/stable/c/2124279f1f8c32c1646ce98e75a1a39b23b7db76nvd
- git.kernel.org/stable/c/2497ff38c530b1af0df5130ca9f5ab22c5e92f29nvd
- git.kernel.org/stable/c/786ec171788bdf9dda38789163f1b1fbb47f2d1envd
- git.kernel.org/stable/c/cff3f619fd1cb40cdd89971df9001f075613d219nvd
- git.kernel.org/stable/c/f9c9ad89d845f88a1509e9d672f65d234425fde9nvd
News mentions
0No linked articles in our index yet.