HIGH
hid TouchReports OOB
CVE-2026-46232
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
KernelScan AI7.1HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: HID: playstation: Clamp num_touch_reports A device would never lie about the number of touch reports would it? If it does the loop in dualshock4_parse_report will read off the end of the touch_reports array, up to about 2 KiB for the maximum number of 256 loop iteraions. The data that is read is emitted via evdev if the DS4_TOUCH_POINT_INACTIVE bit happens to be set. Protect against this by clamping the num_touch_reports value provided by the device to the maximum size of the touch_reports array.
02KernelScan AI Analysis
Risk summary
A malicious PlayStation DualShock4 controller connected via USB or Bluetooth can trigger an out-of-bounds read in the HID PlayStation driver by providing an inflated touch report count. Up to approximately 2 KB of kernel memory may be read beyond the touch_reports array. The leaked data can be emitted to userspace via evdev events, resulting in information disclosure (C:Low). Additionally, an out-of-bounds read of this magnitude in kernel space is likely to access unmapped pages, leading to a kernel panic (A:High).
Vulnerability analysis
The vulnerability occurs in dualshock4_parse_report() where the driver trusts the num_touch_reports field from the HID device without validation. A malicious device can set this to up to 256, causing the parsing loop to read beyond the touch_reports array bounds. The fix adds min_t() clamping to limit num_touch_reports to ARRAY_SIZE(touch_reports). The vulnerability can be triggered by a malicious USB-connected device (requiring physical access) or a malicious Bluetooth-paired controller (requiring physical proximity).
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.90 | 9c031b24aed6 |
| 6.18 | 6.18.32 | 7812694752a5 |
| 6.6 | 6.6.140 | 0bc4cf1a6ba0 |
| 7.0 | 7.0.9 | 208f6d5b1dfd |
| mainline | 7.1-rc4 | cac61b58a3b6 |