What is CVE-2021-46906?

CVE-2021-46906 is a Medium severity Linux kernel vulnerability with a CVSS score of 5.5 out of 10. CVE-2021-46906 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2021-46906?

CVE-2021-46906 has a CVSS score of 5.5 out of 10, rated Medium severity. The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N.

Is there a patch available for CVE-2021-46906?

No patch is currently available for CVE-2021-46906. Monitor the NIST NVD and your Linux distribution's security advisories for updates.

Is CVE-2021-46906 actively exploited?

CVE-2021-46906 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2021-46906

Medium

In the Linux kernel, the following vulnerability has been resolved: HID: usbhid: fix info leak in hid_submit_ctrl In hid_submit_ctrl(), the way of calculating the report length doesn't take into account that report->size can be zero. When running the syzkaller reproducer, a report of size 0 causes hid_submit_ctrl) to calculate transfer_buffer_length as 16384. When this urb is passed to the usb core layer, KMSAN reports an info leak of 16384 bytes. To fix this, first modify hid_report_len() to account for the zero report size case by using DIV_ROUND_UP for the division. Then, call it from hid_submit_ctrl().

Package Linux Kernel

Published 2024-02-26

Last modified 2025-12-10

CVSS version 3.1

Patch available

Awaiting data

CVSS 3.1 score

5.5

out of 10

Medium

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Vector string

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Weakness type

CWE-668

CVE-2021-46906 is classified as CWE-668

See CWE-668 on MITRE CWE for full details on this weakness type.

References

The following references provide additional information about CVE-2021-46906 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/0e280502be1b003c3483ae03fc60dea554fcfa82
Patch
Kernel patch commit
https://git.kernel.org/stable/c/21883bff0fd854e07429a773ff18f1e9658f50e8
Patch
Kernel patch commit
https://git.kernel.org/stable/c/41b1e71a2c57366b08dcca1a28b0d45ca69429ce
Patch

8 patch commits total View all on NVD

Details

CVE ID CVE-2021-46906

Severity Medium

CVSS score 5.5 / 10

CVSS version 3.1

Published 2024-02-26

Modified 2025-12-10

KEV No

Patch Awaiting data

Package linux

Frequently asked questions

What is CVE-2021-46906?

CVE-2021-46906 is a Medium severity Linux kernel vulnerability with a CVSS score of 5.5 out of 10 . CVE-2021-46906 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
What is the CVSS score for CVE-2021-46906?

CVE-2021-46906 has a CVSS score of 5.5 out of 10, rated Medium severity (CVSS 3.1). The vector string is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N.
Is there a patch available for CVE-2021-46906?

No patch is currently available for CVE-2021-46906. Monitor the NIST NVD and your Linux distribution's security advisories for updates.
Is CVE-2021-46906 actively exploited?

No — CVE-2021-46906 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.