CVE-2026-23178
Published: 14 February 2026
Summary
CVE-2026-23178 is a high-severity an unspecified weakness vulnerability in Kernel (inferred from references). Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-23178 is a potential buffer overflow vulnerability in the Linux kernel's HID i2c-hid subsystem, specifically within the i2c_hid_get_report() function. The flaw occurs because i2c_hid_xfer() reads recv_len + sizeof(__le16) bytes of data into ihid->rawbuf, where recv_len originates from userspace via the hidraw driver and is bounded only by the default HID_MAX_BUFFER_SIZE of 16384. This can exceed the actual buffer size, which is determined at runtime by the maximum size of different report types for a given device.
A local attacker with low privileges can exploit this vulnerability by supplying a large recv_len value through the hidraw interface, though access to hidraw devices requires root privileges, limiting the impact. Successful exploitation could lead to high confidentiality, integrity, and availability impacts (CVSS 7.8: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), potentially enabling arbitrary code execution, data corruption, or system crashes.
Mitigation is provided through kernel patches in stable branches, as detailed in the referenced commits (e.g., 2124279f1f8c32c1646ce98e75a1a39b23b7db76). These fixes truncate recv_len to ihid->bufsize - sizeof(__le16), preventing the overflow while maintaining compatibility. Security practitioners should apply the latest stable kernel updates to affected systems.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-6112
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report() `i2c_hid_xfer` is used to read `recv_len + sizeof(__le16)` bytes of data into `ihid->rawbuf`. The former can come from the userspace in the…
more
hidraw driver and is only bounded by HID_MAX_BUFFER_SIZE(16384) by default (unless we also set `max_buffer_size` field of `struct hid_ll_driver` which we do not). The latter has size determined at runtime by the maximum size of different report types you could receive on any particular device and can be a much smaller value. Fix this by truncating `recv_len` to `ihid->bufsize - sizeof(__le16)`. The impact is low since access to hidraw devices requires root.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel buffer overflow enabling arbitrary code execution and privilege escalation from low-privileged context.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the CVE by requiring timely application of the kernel patch that truncates recv_len to ihid->bufsize - sizeof(__le16), preventing the buffer overflow.
Mandates validation of userspace-provided recv_len values against the actual buffer size in i2c_hid_get_report() to block oversized inputs causing overflows.
Implements memory safeguards like non-executable stacks and ASLR to limit successful exploitation of the buffer overflow for code execution or crashes.