How is CVE-2026-46232 exploited?

Network reachability (info): The attack originates from an adjacent network or physical bus (Bluetooth or USB), meaning the attacker must be on the same LAN, VLAN, or within wireless/wired HID pairing range rather than reaching the target over the open internet. Authentication (not-required): No credentials or account are needed; the attacker only needs to present a crafted HID device to the target host. Victim interaction (not-required): No user action is required; parsing of the malicious touch report happens automatically when the kernel processes HID input from the device. Attack complexity (info): Exploit conditions are straightforward and reliable; no race conditions or special memory layout requirements are needed beyond supplying an oversized num_touch_reports value.

What is the impact of CVE-2026-46232?

Reads up to roughly 2 KiB of out-of-bounds kernel memory, which may include sensitive in-kernel data structures, and emits that data to userspace via the evdev interface. Disrupts normal operation of the affected kernel subsystem, which can crash or destabilize the HID input stack and cause a denial of service for input-dependent workloads. Integrity of processed input events is unaffected; the vulnerability does not grant write access to kernel memory.

Back to search

HIGHCVE-2026-46232Published 2026-05-28Modified 2026-05-30CNA Linux

CVE-2026-46232: HID: playstation: Clamp num_touch_reports

In the Linux kernel, the following vulnerability has been resolved: HID: playstation: Clamp num_touch_reports A device would never lie about the number of touch reports would it? If it does the loop in dualshock4_parse_report will read off the end of the touch_reports array, up to about 2 KiB for the maximum number of 256 loop iteraions. The data that is read is emitted via evdev if the DS4_TOUCH_POINT_INACTIVE bit happens to be set. Protect against this by clamping the num_touch_reports value provided by the device to the maximum size of the touch_reports array.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An out-of-bounds read vulnerability exists in the Linux kernel's HID playstation driver, specifically in the DualShock 4 touch report parsing code. The flaw is reachable from an adjacent network or local bus context and requires no authentication, allowing a malicious or crafted USB/Bluetooth HID device to supply an oversized touch-report count. Successful exploitation leaks up to roughly 2 KiB of kernel memory contents via the evdev interface and can disrupt service availability. A patched-image rebuild at fix versions 6.6.140 and 6.12.90 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle affected Linux kernel versions. Any image carrying a kernel in the affected version ranges is flagged automatically at both registry scan time and CI/CD pipeline gate.

Available

Triage

HarborGuard scores this finding at CVSS 8.1 (HIGH) and weights it against each environment's compliance policy to determine urgency and routing. The resulting alert is directed to the appropriate team inbox within each customer organization based on their configured escalation rules.

Available

Patch

A patched-image rebuild targeting fix versions 6.6.140 and 6.12.90 is available on HarborGuard for environments running an affected kernel version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityDetail
The attack originates from an adjacent network or physical bus (Bluetooth or USB), meaning the attacker must be on the same LAN, VLAN, or within wireless/wired HID pairing range rather than reaching the target over the open internet.
AuthenticationNot required
No credentials or account are needed; the attacker only needs to present a crafted HID device to the target host.
Victim interactionNot required
No user action is required; parsing of the malicious touch report happens automatically when the kernel processes HID input from the device.
Attack complexityDetail
Exploit conditions are straightforward and reliable; no race conditions or special memory layout requirements are needed beyond supplying an oversized num_touch_reports value.

Blast Radius

Reads up to roughly 2 KiB of out-of-bounds kernel memory, which may include sensitive in-kernel data structures, and emits that data to userspace via the evdev interface.
Disrupts normal operation of the affected kernel subsystem, which can crash or destabilize the HID input stack and cause a denial of service for input-dependent workloads.
Integrity of processed input events is unaffected; the vulnerability does not grant write access to kernel memory.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication against all images in connected registries and pipelines, including images with custom-compiled kernels. For environments running Linux kernels prior to 6.6.140 or 6.12.90, a rebuild at the patched version is available as soon as the fix is confirmed present in the base image. For customers who opt into auto-remediation, HarborGuard handles the full flow: rebuild the image at the patched version, run regression tests, and open a pull request against affected workloads. The median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy or deployment constraints prevent immediate patching, consider applying kernel module loading restrictions to block the hid-playstation module on hosts where DualShock 4 support is not required, and enforce strict USB and Bluetooth device allowlists via udev or similar host policy to limit exposure to untrusted HID peripherals.

See how HarborGuard automates this

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: 0
Affected Products: 2

Fix available

00bc4cf1a6ba00fb8c074531b179bc7b97502fbc4208f6d5b1dfd6399bc6af9e11f27f1f496243ed06.6.1406.12.906.18.327.0.97.1-rc47812694752a5f295eaa05a093b90a2c3326660519c031b24aed6733b6dcc5d98527875b8654a04e9cac61b58a3b6340c52afa06bb15eac033158db2f

Affected packages

Linux / Linux
< 0bc4cf1a6ba00fb8c074531b179bc7b97502fbc4 (from 752038248808a7ff176bbdb668f19ae7d2a9816b) · < 9c031b24aed6733b6dcc5d98527875b8654a04e9 (from 752038248808a7ff176bbdb668f19ae7d2a9816b) · < 7812694752a5f295eaa05a093b90a2c332666051 (from 752038248808a7ff176bbdb668f19ae7d2a9816b) · < 208f6d5b1dfd6399bc6af9e11f27f1f496243ed0 (from 752038248808a7ff176bbdb668f19ae7d2a9816b) · < cac61b58a3b6340c52afa06bb15eac033158db2f (from 752038248808a7ff176bbdb668f19ae7d2a9816b)
Linux / Linux
6.2
Fixed in 0, 6.6.140, 6.12.90, 6.18.32, 7.0.9, 7.1-rc4

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available