CVE-2026-43136

EUVD-2026-27696
In the Linux kernel, the following vulnerability has been resolved:

HID: logitech-hidpp: Check maxfield in hidpp_get_report_length()

Do not crash when a report has no fields.

Fake USB gadgets can send their own HID report descriptors and can define report
structures without valid fields.  This can be used to crash the kernel over USB.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 2%
Affected Products (NVD)
VendorProductVersion
linuxlinux_kernel
5.2 ≤
𝑥
< 5.10.252
linuxlinux_kernel
5.11 ≤
𝑥
< 5.15.202
linuxlinux_kernel
5.16 ≤
𝑥
< 6.1.165
linuxlinux_kernel
6.2 ≤
𝑥
< 6.6.128
linuxlinux_kernel
6.7 ≤
𝑥
< 6.12.75
linuxlinux_kernel
6.13 ≤
𝑥
< 6.18.16
linuxlinux_kernel
6.19 ≤
𝑥
< 6.19.6
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
linux
bookworm
6.1.170-3
fixed
bookworm (security)
6.1.174-1
fixed
bullseye
vulnerable
bullseye (security)
5.10.257-1
fixed
forky
7.0.12-2
fixed
sid
7.0.13-1
fixed
trixie
6.12.86-1
fixed
trixie (security)
6.12.94-1
fixed
Vulnerability Media Exposure
References
https://git.kernel.org/stable/c/1547d41f9f19d691c2c9ce4c29f746297baef9e9
https://git.kernel.org/stable/c/1acb28123e57b50d737377f400f57eec889fe5e4
https://git.kernel.org/stable/c/2dc023dbc11b8dfa8afa63242762acd8cddcad03
https://git.kernel.org/stable/c/7f59999fcd699af06ad2aef446a635ea6aa87db3
https://git.kernel.org/stable/c/ae81fac9ce81917817d787e6b74e68482d99bdf2
https://git.kernel.org/stable/c/b74bf7d0d01fa9b53653f58c29aa00772121f6e9
https://git.kernel.org/stable/c/f1ceaaf93ea32d0f2b95c95f784ee155962c52ad
https://git.kernel.org/stable/c/fb1725c0804dbec9dd01c4cb5c9f1f77a69e36dc