CVE-2026-46232 Linux CVE debrief

Who should care

Organizations running Linux workstations or servers with PlayStation controller support enabled; gaming and entertainment industry infrastructure; embedded Linux systems with USB HID device support; security teams managing physical access controls for sensitive systems.

Technical summary

The `hid-playstation` driver in the Linux kernel fails to validate the `num_touch_reports` field in DualShock 4 HID reports. A malicious device can supply a value up to 255, causing `dualshock4_parse_report()` to read up to ~2 KiB beyond the `touch_reports` array. The out-of-bounds data may be emitted via evdev if bit 7 (`DS4_TOUCH_POINT_INACTIVE`) is set in the leaked bytes. The vulnerability is local, requires physical USB attachment, and could result in information disclosure from kernel memory. The fix clamps the device-provided value to `ARRAY_SIZE(touch_reports) - 1`.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates containing the fix for CVE-2026-46232 when available from your Linux distribution
• Verify that systems with DualShock 4 controllers or other PlayStation HID devices are running patched kernel versions
• Consider restricting physical USB device access on sensitive systems until patches are applied
• Monitor kernel changelogs for backported fixes to stable kernel branches (5.15, 6.1, 6.6, 6.12, etc.)
• Review systems for unexpected evdev events that could indicate exploitation attempts

Evidence notes

The vulnerability description and patch references are sourced from the official CVE record and NVD entry published 2026-05-28. The fix involves clamping `num_touch_reports` in the Linux kernel's HID PlayStation driver. Five stable kernel commits are referenced, indicating backports to multiple kernel versions. No CVSS score has been assigned as of the modified date (2026-05-28T13:44:01.663Z).

Official resources