Cyber Resilience

CVE-2026-23178

High

Published: 14 February 2026

Published
14 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 4.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23178 is a high-severity an unspecified weakness vulnerability in Kernel (inferred from references). Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-23178 is a potential buffer overflow vulnerability in the Linux kernel's HID i2c-hid subsystem, specifically within the i2c_hid_get_report() function. The flaw occurs because i2c_hid_xfer() reads recv_len + sizeof(__le16) bytes of data into ihid->rawbuf, where recv_len originates from userspace via the hidraw driver and is bounded only by the default HID_MAX_BUFFER_SIZE of 16384. This can exceed the actual buffer size, which is determined at runtime by the maximum size of different report types for a given device.

A local attacker with low privileges can exploit this vulnerability by supplying a large recv_len value through the hidraw interface, though access to hidraw devices requires root privileges, limiting the impact. Successful exploitation could lead to high confidentiality, integrity, and availability impacts (CVSS 7.8: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), potentially enabling arbitrary code execution, data corruption, or system crashes.

Mitigation is provided through kernel patches in stable branches, as detailed in the referenced commits (e.g., 2124279f1f8c32c1646ce98e75a1a39b23b7db76). These fixes truncate recv_len to ihid->bufsize - sizeof(__le16), preventing the overflow while maintaining compatibility. Security practitioners should apply the latest stable kernel updates to affected systems.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report() `i2c_hid_xfer` is used to read `recv_len + sizeof(__le16)` bytes of data into `ihid->rawbuf`. The former can come from the userspace in the…

more

hidraw driver and is only bounded by HID_MAX_BUFFER_SIZE(16384) by default (unless we also set `max_buffer_size` field of `struct hid_ll_driver` which we do not). The latter has size determined at runtime by the maximum size of different report types you could receive on any particular device and can be a much smaller value. Fix this by truncating `recv_len` to `ihid->bufsize - sizeof(__le16)`. The impact is low since access to hidraw devices requires root.

CWE(s)
None listed

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel buffer overflow enabling arbitrary code execution and privilege escalation from low-privileged context.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

Affected Assets

Kernel
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring timely application of the kernel patch that truncates recv_len to ihid->bufsize - sizeof(__le16), preventing the buffer overflow.

prevent

Mandates validation of userspace-provided recv_len values against the actual buffer size in i2c_hid_get_report() to block oversized inputs causing overflows.

prevent

Implements memory safeguards like non-executable stacks and ASLR to limit successful exploitation of the buffer overflow for code execution or crashes.

References