{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23178", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.984Z", "datePublished": "2026-02-14T16:27:10.108Z", "dateUpdated": "2026-02-16T08:58:51.701Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-02-16T08:58:51.701Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()\n\n`i2c_hid_xfer` is used to read `recv_len + sizeof(__le16)` bytes of data\ninto `ihid->rawbuf`.\n\nThe former can come from the userspace in the hidraw driver and is only\nbounded by HID_MAX_BUFFER_SIZE(16384) by default (unless we also set\n`max_buffer_size` field of `struct hid_ll_driver` which we do not).\n\nThe latter has size determined at runtime by the maximum size of\ndifferent report types you could receive on any particular device and\ncan be a much smaller value.\n\nFix this by truncating `recv_len` to `ihid->bufsize - sizeof(__le16)`.\n\nThe impact is low since access to hidraw devices requires root."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/hid/i2c-hid/i2c-hid-core.c"], "versions": [{"version": "85df713377ddc0482071c3e6b64c37bd1e48f1f1", "lessThan": "f9c9ad89d845f88a1509e9d672f65d234425fde9", "status": "affected", "versionType": "git"}, {"version": "85df713377ddc0482071c3e6b64c37bd1e48f1f1", "lessThan": "cff3f619fd1cb40cdd89971df9001f075613d219", "status": "affected", "versionType": "git"}, {"version": "85df713377ddc0482071c3e6b64c37bd1e48f1f1", "lessThan": "786ec171788bdf9dda38789163f1b1fbb47f2d1e", "status": "affected", "versionType": "git"}, {"version": "85df713377ddc0482071c3e6b64c37bd1e48f1f1", "lessThan": "2124279f1f8c32c1646ce98e75a1a39b23b7db76", "status": "affected", "versionType": "git"}, {"version": "85df713377ddc0482071c3e6b64c37bd1e48f1f1", "lessThan": "2497ff38c530b1af0df5130ca9f5ab22c5e92f29", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/hid/i2c-hid/i2c-hid-core.c"], "versions": [{"version": "5.18", "status": "affected"}, {"version": "0", "lessThan": "5.18", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.163", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.124", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.70", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.10", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.1.163"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.6.124"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.12.70"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.18.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/f9c9ad89d845f88a1509e9d672f65d234425fde9"}, {"url": "https://git.kernel.org/stable/c/cff3f619fd1cb40cdd89971df9001f075613d219"}, {"url": "https://git.kernel.org/stable/c/786ec171788bdf9dda38789163f1b1fbb47f2d1e"}, {"url": "https://git.kernel.org/stable/c/2124279f1f8c32c1646ce98e75a1a39b23b7db76"}, {"url": "https://git.kernel.org/stable/c/2497ff38c530b1af0df5130ca9f5ab22c5e92f29"}], "title": "HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()\n\n`i2c_hid_xfer` is used to read `recv_len + sizeof(__le16)` bytes of data\ninto `ihid->rawbuf`.\n\nThe former can come from the userspace in the hidraw driver and is only\nbounded by HID_MAX_BUFFER_SIZE(16384) by default (unless we also set\n`max_buffer_size` field of `struct hid_ll_driver` which we do not).\n\nThe latter has size determined at runtime by the maximum size of\ndifferent report types you could receive on any particular device and\ncan be a much smaller value.\n\nFix this by truncating `recv_len` to `ihid->bufsize - sizeof(__le16)`.\n\nThe impact is low since access to hidraw devices requires root."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nHID: i2c-hid: corrige un potencial desbordamiento de b\u00fafer en i2c_hid_get_report()\n\n'i2c_hid_xfer' se utiliza para leer 'recv_len + sizeof(__le16)' bytes de datos en 'ihid->rawbuf'.\n\nEl primero puede provenir del espacio de usuario en el controlador hidraw y est\u00e1 limitado \u00fanicamente por HID_MAX_BUFFER_SIZE(16384) por defecto (a menos que tambi\u00e9n configuremos el campo 'max_buffer_size' de 'struct hid_ll_driver', lo cual no hacemos).\n\nEl segundo tiene un tama\u00f1o determinado en tiempo de ejecuci\u00f3n por el tama\u00f1o m\u00e1ximo de los diferentes tipos de informes que se podr\u00edan recibir en cualquier dispositivo particular y puede ser un valor mucho menor.\n\nEsto se soluciona truncando 'recv_len' a 'ihid->bufsize - sizeof(__le16)'.\n\nEl impacto es bajo ya que el acceso a los dispositivos hidraw requiere root."}], "id": "CVE-2026-23178", "lastModified": "2026-02-18T17:52:22.253", "metrics": {}, "published": "2026-02-14T17:15:55.537", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2124279f1f8c32c1646ce98e75a1a39b23b7db76"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2497ff38c530b1af0df5130ca9f5ab22c5e92f29"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/786ec171788bdf9dda38789163f1b1fbb47f2d1e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/cff3f619fd1cb40cdd89971df9001f075613d219"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f9c9ad89d845f88a1509e9d672f65d234425fde9"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()", "id": "2439914", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2439914"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nHID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()\n`i2c_hid_xfer` is used to read `recv_len + sizeof(__le16)` bytes of data\ninto `ihid->rawbuf`.\nThe former can come from the userspace in the hidraw driver and is only\nbounded by HID_MAX_BUFFER_SIZE(16384) by default (unless we also set\n`max_buffer_size` field of `struct hid_ll_driver` which we do not).\nThe latter has size determined at runtime by the maximum size of\ndifferent report types you could receive on any particular device and\ncan be a much smaller value.\nFix this by truncating `recv_len` to `ihid->bufsize - sizeof(__le16)`.\nThe impact is low since access to hidraw devices requires root."], "name": "CVE-2026-23178", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23178\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23178\nhttps://lore.kernel.org/linux-cve-announce/2026021428-CVE-2026-23178-ffd4@gregkh/T"], "statement": "As noted in the patch, access to hidraw devices requires root privileges (or specific device permissions). The practical impact is limited since an attacker would already need elevated access to exploit this vulnerability. The overflow could potentially be used for local privilege escalation but the attack surface is constrained.", "threat_severity": "Moderate"}