HIGH 8.1

CVE-2026-46232: Linux Kernel PlayStation HID Buffer Over-Read Information Disclosure

A vulnerability exists in the Linux kernel's PlayStation HID (Human Interface Device) driver that allows a malicious or malfunctioning PlayStation controller to cause the system to read beyond the bounds of a memory buffer. When processing touch input data, the driver fails to validate the number of touch reports claimed by the device, potentially exposing up to 2 KB of kernel memory that may then be leaked to userspace through input event channels if certain conditions are met. An attacker with physical access to a system or the ability to present a rogue USB device could exploit this to read sensitive information from kernel memory.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.1 HIGH · CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Weaknesses (CWE)
Affected products
4 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: HID: playstation: Clamp num_touch_reports A device would never lie about the number of touch reports would it? If it does the loop in dualshock4_parse_report will read off the end of the touch_reports array, up to about 2 KiB for the maximum number of 256 loop iteraions. The data that is read is emitted via evdev if the DS4_TOUCH_POINT_INACTIVE bit happens to be set. Protect against this by clamping the num_touch_reports value provided by the device to the maximum size of the touch_reports array.

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the dualshock4_parse_report function within the HID PlayStation driver (drivers/hid/hid-playstation.c). The kernel trusts a device-supplied num_touch_reports value without validation, allowing an out-of-bounds read when iterating over the touch_reports array. The touch_reports array has a fixed size limit, but the device can claim more reports than that limit. During iteration, if the DS4_TOUCH_POINT_INACTIVE bit is set in out-of-bounds memory regions, that data is emitted through the evdev subsystem, resulting in information disclosure. The fix implements clamping to ensure num_touch_reports never exceeds the array bounds.

Business impact

This vulnerability primarily affects systems using PlayStation controllers with the Linux kernel. While the attack requires either physical device access or the ability to connect a malicious USB device, successful exploitation can leak sensitive kernel memory contents. For systems in shared computing environments, data centers, or kiosk-style deployments where untrusted users might plug in devices, this creates a confidentiality risk. The vulnerability does not enable code execution or direct denial of service, but the memory leak could facilitate further privilege escalation attacks if the leaked data contains kernel address space layout information or other secrets.

Affected systems

All Linux kernel versions are affected through the HID PlayStation driver subsystem. The vulnerability impacts any system running the linux_kernel package with the HID PlayStation driver enabled and configured to accept input from PlayStation DualShock 4 controllers via USB or Bluetooth HID transport. Systems without PlayStation controller support or those not loading the hid-playstation driver module are unaffected.

Exploitability

Exploitation requires either physical access to connect a USB device or prior compromise allowing device emulation. The attacker must craft a malicious HID device that reports an inflated num_touch_reports value and sets the DS4_TOUCH_POINT_INACTIVE bit in out-of-bounds memory regions to trigger information disclosure. The attack is deterministic once a device is connected; no user interaction is required. This is moderately exploitable in controlled environments but has limited real-world impact for systems in restrictive physical security postures. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Remediation

Apply the Linux kernel patch that implements clamping of the num_touch_reports value to the maximum size of the touch_reports array. This validation should be performed during device initialization or report parsing to reject any device-supplied value exceeding the array bounds. Verify that your kernel version includes the fix by checking the upstream commit or your distribution's security advisory. For systems not requiring PlayStation controller support, disabling or removing the hid-playstation module eliminates the attack surface entirely.

Patch guidance

Obtain updates from your Linux distribution's security repository. Distributions maintain their own backport schedules; verify the patch status in your vendor's advisory. For systems running directly from upstream Linux sources, apply the commit that adds the clamping logic to dualshock4_parse_report. Test the patched kernel with connected PlayStation controllers to ensure touch input remains functional. If using modular builds, verify that hid-playstation is rebuilt with the updated source.

Detection guidance

Monitor kernel logs for any unusual memory access patterns or HID device initialization failures. Implement device allowlisting policies to restrict which USB HID devices are permitted to connect. Use udev rules to block or restrict PlayStation HID devices if they are not required. Audit systems for active hid-playstation module loading; unload the module on systems where it is not needed. Consider deploying endpoint detection tools that monitor for suspicious USB device connections from untrusted sources.

Why prioritize this

While the CVSS score of 8.1 indicates a HIGH severity vulnerability due to the combination of information disclosure and potential system impact, real-world exploitability is limited by the requirement for physical device access or prior compromise. Organizations should prioritize patching based on their threat model: high-priority for systems in high-security environments where device attachment is possible, moderate-priority for datacenter and cloud environments with restricted physical access. The lack of KEV status and public exploits suggests limited immediate threat activity.

Risk score, explained

The CVSS 3.1 score of 8.1 (HIGH) reflects a high-impact information disclosure vulnerability with high attack complexity requirements (Physical proximity: AV:A). The score accounts for confidentiality impact (C:H) and availability impact (A:H), though the latter is limited to potential denial of service through device misbehavior rather than kernel crash. The score does not penalize for the requirement of physical device access, which would significantly lower real-world exploitability in most enterprise environments.

Frequently asked questions

Can this vulnerability be exploited remotely?

No. Exploitation requires either physical access to a USB port or the ability to connect a malicious USB HID device via Bluetooth. An attacker cannot trigger this vulnerability over a network connection.

What Linux distributions are affected?

All distributions shipping the Linux kernel with the HID PlayStation driver enabled are potentially affected. This includes major distributions like Ubuntu, Fedora, Debian, and others. Check your distribution's security advisory for specific version guidance and patch availability.

Do I need to disable PlayStation controller support entirely?

Only if you do not use PlayStation controllers. If you do not use DualShock 4 controllers, you can disable or blacklist the hid-playstation module to eliminate the attack surface. Otherwise, apply the available kernel patch.

Is there a workaround if I cannot patch immediately?

Until patching is possible, restrict physical access to USB ports, disable Bluetooth HID device discovery if not needed, and implement device whitelisting policies via udev. Monitor for suspicious HID device connections in audit logs.

This analysis is based on publicly available vulnerability data current as of the publication date. CVSS scores and severity assessments are provided by the vulnerability source and reflect standardized metrics; your organization's risk may differ based on deployment, threat model, and business context. Patch version numbers and specific distribution timelines should be verified against vendor security advisories. This vulnerability intelligence does not constitute professional security advice; consult with your security team to determine remediation priority based on your environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).