PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45969 Linux CVE debrief

A missing return value check in the Linux kernel's HID PlayStation driver could lead to incorrect behavior or potential crashes when force feedback (FF) effects are triggered. The `ps_gamepad_create()` function in the PlayStation HID driver calls `input_ff_create_memless()` without verifying whether the call succeeded. If `input_ff_create_memless()` fails (e.g., due to memory allocation failure), subsequent FF effect operations may operate on uninitialized or invalid data structures. The vulnerability has been resolved by adding proper error handling for the return value of `input_ff_create_memless()`. Multiple stable kernel branches have received patches.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Organizations and individuals running Linux systems with PlayStation controllers (DualShock 4, DualSense) connected via USB or Bluetooth, particularly those using force feedback features in gaming or simulation applications. System administrators managing Linux workstations or embedded systems with PlayStation controller support should prioritize kernel updates.

Technical summary

The Linux kernel's HID PlayStation driver (`hid-playstation.c`) contains a vulnerability where `ps_gamepad_create()` fails to check the return value of `input_ff_create_memless()`. This function initializes force feedback (rumble/haptic) support for PlayStation controllers including DualShock 4 and DualSense. When `input_ff_create_memless()` fails—typically due to memory allocation failure—the driver continues without proper initialization, leading to potential null pointer dereferences or use of uninitialized data when FF effects are later triggered by applications. The fix adds proper error handling: if `input_ff_create_memless()` returns non-zero, the function cleans up and returns the error code, preventing the driver from registering a partially initialized input device.

Defensive priority

medium

Recommended defensive actions

  • Apply kernel updates containing the fix for CVE-2026-45969 when available from your Linux distribution
  • Monitor stable kernel releases for backported patches to affected versions
  • Review systems using PlayStation controllers (DualShock 4, DualSense) via USB or Bluetooth for kernel update status
  • Consider disabling force feedback effects on affected systems if updates are not immediately available and controller functionality is not critical
  • Verify kernel version against patched versions once distribution advisories are published

Evidence notes

The CVE description and kernel.org commit references confirm this is a missing error check vulnerability in the HID PlayStation driver. The fix adds a return value check for `input_ff_create_memless()` in `ps_gamepad_create()`. Seven stable kernel commits are referenced, indicating backports to multiple supported kernel versions.

Official resources

2026-05-27