HIGH Published 2026-05-01

HID Wacom Bluetooth Report OOB

CVE-2026-43051

CVSS 8.1 / 10.0 NVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

KernelScan AI8.1HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq The wacom_intuos_bt_irq() function processes Bluetooth HID reports without sufficient bounds checking. A maliciously crafted short report can trigger an out-of-bounds read when copying data into the wacom structure. Specifically, report 0x03 requires at least 22 bytes to safely read the processed data and battery status, while report 0x04 (which falls through to 0x03) requires 32 bytes. Add explicit length checks for these report IDs and log a warning if a short report is received.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

A nearby attacker with Bluetooth access could send maliciously crafted short HID reports to cause the kernel to read beyond allocated memory boundaries. This could potentially lead to information disclosure by leaking kernel memory contents or system crashes, affecting system availability.

Affecteddrivers/hid/wacom_wac.c

Vulnerability analysis

Root Cause: The wacom_intuos_bt_irq() function processes Bluetooth HID reports without validating that the report length is sufficient before accessing specific byte offsets. Report types 0x03 and 0x04 require minimum lengths of 22 and 32 bytes respectively, but the function would attempt to read data at these offsets regardless of actual report length.

Attack Surface: This vulnerability is exploitable through Bluetooth HID reports sent to paired Wacom Intuos4 Wireless tablets. An attacker would need to be within Bluetooth range and either compromise an already-paired device or exploit Bluetooth pairing vulnerabilities to send malicious HID reports. The attack requires physical proximity but no special privileges on the target system.

Fix Mechanism: The patch adds explicit length validation checks for report types 0x03 and 0x04. For report 0x04, it checks if len < 32 and breaks early with a warning. For report 0x03, it checks if len < 22 when processing the first instance (i == 1) and breaks with a warning if the report is too short. This prevents out-of-bounds memory access.

03Fix Versions

Branch	Fixed in	Patch commit
5.10	5.10.253	`d0ae84b3c9f3`
5.15	5.15.203	`5b5b97301118`
6.1	6.1.168	`fa8901cb1f0b`
6.12	6.12.81	`41026bcc0fdf`
6.18	6.18.22	`c8dc23c97680`
6.19	6.19.12	`3d78386b1444`
6.6	6.6.134	`8bd690ac1242`
mainline	7.0	`2f1763f62909`