HIGH Published 2026-05-01

hid Multitouch Report Overflow

CVE-2026-43047

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI7.8HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: HID: multitouch: Check to ensure report responses match the request It is possible for a malicious (or clumsy) device to respond to a specific report's feature request using a completely different report ID. This can cause confusion in the HID core resulting in nasty side-effects such as OOB writes. Add a check to ensure that the report ID in the response, matches the one that was requested. If it doesn't, omit reporting the raw event and return early.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

A malicious HID multitouch device can cause out-of-bounds memory writes in the kernel by sending feature reports with mismatched report IDs. This could lead to kernel memory corruption, system crashes, or potentially privilege escalation. The attack requires physical access to connect a malicious device or the ability to compromise existing HID device firmware.

Affecteddrivers/hid/hid-multitouch.c

Vulnerability analysis

Root Cause: The HID multitouch driver fails to validate that feature report responses from USB/I2C HID devices match the requested report ID. A malicious device can respond to a feature request with a different report ID, causing the HID core to process the response with incorrect size assumptions and potentially write out-of-bounds.

Attack Surface: This vulnerability affects systems with HID multitouch devices connected via USB or I2C interfaces. An attacker would need physical access to connect a malicious HID device or compromise an existing HID device's firmware. The vulnerability is triggered when the kernel requests feature reports from the device during initialization or operation.

Fix Mechanism: The patch adds a validation check in mt_get_feature() to ensure the report ID in the response (buf[0]) matches the requested report->id. If they don't match, the function logs an error and returns early without calling hid_report_raw_event(), preventing the malformed response from being processed.

03Fix Versions

Branch	Fixed in	Patch commit
4.4	4.4	`516da3f25cfe`
5.10	5.10.253	`a61163daf8a9`
5.15	5.15.203	`74c6015375d8`
6.1	6.1.168	`c7a27bb4d0f6`
6.12	6.12.81	`7f66fdbc077f`
6.18	6.18.22	`2edc92f89eee`
6.19	6.19.12	`e716edafedad`
6.6	6.6.134	`6a4acd3e86fe`
mainline	7.0	—