CVE-2026-43051 [High] | Out-of-bounds Read in Linux Kernel

In the Linux kernel, the following vulnerability has been resolved: HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq The wacom_intuos_bt_irq() function processes Bluetooth HID reports without sufficient bounds checking. A maliciously crafted short report can trigger an out-of-bounds read when copying data into the wacom structure. Specifically, report 0x03 requires at least 22 bytes to safely read the processed data and battery status, while report 0x04 (which falls through to 0x03) requires 32 bytes. Add explicit length checks for these report IDs and log a warning if a short report is received.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	0.02%	0.26%	+0.23%
2	2026-05-02	—	0.02%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-06-15

0.02%

0.26%

+0.23%

2026-05-02

—

0.02%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
8.1	3.1	HIGH	`CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H` Click to expand Attack vector (AV:A) Attacker has to be nearby on the network—same office, same link, that vibe—not the whole wide internet. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	2.8	5.2	416baaa9-dc9f-4396-8d5f-8c081fb06d67

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

8.1

3.1

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H Click to expand

Attack vector (AV:A): Attacker has to be nearby on the network—same office, same link, that vibe—not the whole wide internet.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:N): Data isn’t meaningfully altered or forged.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

2.8

5.2

416baaa9-dc9f-4396-8d5f-8c081fb06d67

OS Trackers for CVE-2026-43051

vendor	priority	summary	link
`debian`	not yet assigned	CVE-2026-43051 not yet assigned priority: Debian including 2 source packages (linux, linux-6.1), 6 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 6.	https://security-tracker.debian.org/tracker/CVE-2026-43051
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2026-43051
`suse`	medium	CVE-2026-43051 severity moderate: SUSE including 17 source package names (cluster-md-kmp-default, dlm-kmp-default, …), 57 product×package rows across 14 product lines (SUSE Linux Enterprise High Availability Extension 15 SP7, SUSE Linux Enterprise Live Patching 15 SP7, … (14 product lines)): Known Not Affected 57.	https://www.suse.com/security/cve/CVE-2026-43051/
`ubuntu`	medium	CVE-2026-43051 medium priority: Ubuntu including 161 source packages (linux, linux-allwinner-5.19, …), 1449 status rows across 9 suites (bionic, focal, jammy, noble, questing, resolute, trusty, upstream, xenial): DNE 1048, ignored 173, needed 130, released 83, not-affected 10, needs-triage 5.	https://ubuntu.com/security/CVE-2026-43051

Affected software / configurations for CVE-2026-43051

Vendor	Product	Version	Raw CPE
linux	linux_kernel	>= 3.3, < 5.10.253	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 5.11, < 5.15.203	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 5.16, < 6.1.168	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.2, < 6.6.134	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.7, < 6.12.81	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.13, < 6.18.22	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.19, < 6.19.12	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	7.0	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::
linux	linux_kernel	7.0	cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::
linux	linux_kernel	7.0	cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::
linux	linux_kernel	7.0	cpe:2.3:o:linux:linux_kernel:7.0:rc4::::::

References for CVE-2026-43051

URL	Tags
https://git.kernel.org/stable/c/2f1763f62909ccb6386ac50350fa0abbf5bb16a9	Patch
https://git.kernel.org/stable/c/3d78386b144453c47e81bf62dc3601b757f02d99	Patch
https://git.kernel.org/stable/c/41026bcc0fdf82605205c27935ef719cbc07193b	Patch
https://git.kernel.org/stable/c/5b5b9730111808410e404ceac2fabd32eef92fbd	Patch
https://git.kernel.org/stable/c/8bd690ac1242332c73cba10dacdad6c6642bbb94	Patch
https://git.kernel.org/stable/c/c8dc23c97680eebefde06da5858aaef1b37cf75d	Patch
https://git.kernel.org/stable/c/d0ae84b3c9f3ea1a564eb1b7612113ca9fe8aada	Patch
https://git.kernel.org/stable/c/fa8901cb1f0b2113a342db93bd5684b59fe99dcf	Patch

URL

CVE-2026-43051 | HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq

Exploit prediction scoring system (EPSS) score for CVE-2026-43051

Common vulnerability scoring system (CVSS) metrics for CVE-2026-43051

Weakness enumeration for CVE-2026-43051

GitHub Security Advisory for CVE-2026-43051

OS Trackers for CVE-2026-43051

Affected software / configurations for CVE-2026-43051

References for CVE-2026-43051