CVE-2026-46232
HID: playstation: Clamp num_touch_reports
Description
In the Linux kernel, the following vulnerability has been resolved: HID: playstation: Clamp num_touch_reports A device would never lie about the number of touch reports would it? If it does the loop in dualshock4_parse_report will read off the end of the touch_reports array, up to about 2 KiB for the maximum number of 256 loop iteraions. The data that is read is emitted via evdev if the DS4_TOUCH_POINT_INACTIVE bit happens to be set. Protect against this by clamping the num_touch_reports value provided by the device to the maximum size of the touch_reports array.
INFO
Published Date :
May 28, 2026, 10:16 a.m.
Last Modified :
June 10, 2026, 9:11 p.m.
Remotely Exploit :
No
Source :
416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | HIGH | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
Solution
- Apply the patch for HID: playstation: Clamp num_touch_reports.
- Update the Linux kernel to a fixed version.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-46232.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-46232 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-46232
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-46232 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2026-46232 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Jun. 10, 2026
Action Type Old Value New Value Added CWE NVD-CWE-noinfo Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.2 up to (excluding) 6.6.140 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.13 up to (excluding) 6.18.32 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.7 up to (excluding) 6.12.90 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.19 up to (excluding) 7.0.9 Added Reference Type kernel.org: https://git.kernel.org/stable/c/0bc4cf1a6ba00fb8c074531b179bc7b97502fbc4 Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/208f6d5b1dfd6399bc6af9e11f27f1f496243ed0 Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/7812694752a5f295eaa05a093b90a2c332666051 Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/9c031b24aed6733b6dcc5d98527875b8654a04e9 Types: Patch Added Reference Type kernel.org: https://git.kernel.org/stable/c/cac61b58a3b6340c52afa06bb15eac033158db2f Types: Patch -
CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
May. 30, 2026
Action Type Old Value New Value Added CVSS V3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H -
New CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
May. 28, 2026
Action Type Old Value New Value Added Description In the Linux kernel, the following vulnerability has been resolved: HID: playstation: Clamp num_touch_reports A device would never lie about the number of touch reports would it? If it does the loop in dualshock4_parse_report will read off the end of the touch_reports array, up to about 2 KiB for the maximum number of 256 loop iteraions. The data that is read is emitted via evdev if the DS4_TOUCH_POINT_INACTIVE bit happens to be set. Protect against this by clamping the num_touch_reports value provided by the device to the maximum size of the touch_reports array. Added Reference https://git.kernel.org/stable/c/0bc4cf1a6ba00fb8c074531b179bc7b97502fbc4 Added Reference https://git.kernel.org/stable/c/208f6d5b1dfd6399bc6af9e11f27f1f496243ed0 Added Reference https://git.kernel.org/stable/c/7812694752a5f295eaa05a093b90a2c332666051 Added Reference https://git.kernel.org/stable/c/9c031b24aed6733b6dcc5d98527875b8654a04e9 Added Reference https://git.kernel.org/stable/c/cac61b58a3b6340c52afa06bb15eac033158db2f