CVE-2026-43051
Published: 01 May 2026
Summary
CVE-2026-43051 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Credential Access (T1212); ranked at the 8.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces bounds checking and validation of incoming Bluetooth HID report lengths to prevent out-of-bounds reads from maliciously crafted short reports.
Requires timely remediation by applying the kernel patch that adds explicit length checks for report IDs 0x03 and 0x04 in wacom_intuos_bt_irq().
Implements memory protections such as ASLR and non-executable stacks to mitigate kernel memory disclosure and crashes from out-of-bounds reads.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The OOB read enables kernel memory disclosure (facilitating credential collection via exploitation) and kernel crashes (direct system exploitation for DoS).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq The wacom_intuos_bt_irq() function processes Bluetooth HID reports without sufficient bounds checking. A maliciously crafted short report can trigger an out-of-bounds read when copying…
more
data into the wacom structure. Specifically, report 0x03 requires at least 22 bytes to safely read the processed data and battery status, while report 0x04 (which falls through to 0x03) requires 32 bytes. Add explicit length checks for these report IDs and log a warning if a short report is received.
Deeper analysisAI
CVE-2026-43051 is an out-of-bounds read vulnerability in the Linux kernel's Wacom Intuos Bluetooth HID driver, specifically in the wacom_intuos_bt_irq() function. This function processes incoming Bluetooth HID reports without adequate bounds checking, allowing a maliciously crafted short report to trigger an out-of-bounds read when copying data into the wacom structure. Reports 0x03 and 0x04 are affected, with 0x03 requiring at least 22 bytes and 0x04 (which falls through to 0x03 processing) requiring 32 bytes for safe handling. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).
An attacker in adjacent physical proximity, such as within Bluetooth range, can exploit this vulnerability by sending a specially crafted short HID report over Bluetooth to a targeted system with the Wacom Intuos driver loaded. No privileges or user interaction are required, and the attack has low complexity. Successful exploitation can result in high-impact confidentiality violations through disclosure of sensitive kernel memory and high-impact availability disruption, such as kernel crashes or denial of service, while integrity remains unaffected.
The provided references point to stable kernel patch commits that mitigate the issue by adding explicit length checks for report IDs 0x03 and 0x04 in wacom_intuos_bt_irq(), ensuring reports meet the minimum required sizes before processing. Short reports now trigger a logged warning instead of proceeding with the read operation. Security practitioners should apply these upstream patches to affected Linux kernel versions supporting Wacom Intuos Bluetooth devices.
Details
- CWE(s)