Skip to main content

Linux Kernel CVE-2026-43354

| EUVDEUVD-2026-28660 MEDIUM
Divide By Zero (CWE-369)
2026-05-08 Linux GHSA-354w-x6pj-669w
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 15, 2026 - 21:00 vuln.today
CVSS changed
May 15, 2026 - 18:52 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:21 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

iio: proximity: hx9023s: Protect against division by zero in set_samp_freq

Avoid division by zero when sampling frequency is unspecified.

AnalysisAI

Local denial of service in the Linux kernel's HX9023S proximity sensor driver (iio subsystem) allows authenticated users with low privileges to crash the system via division by zero when setting sampling frequency with an unspecified value. Patch available from kernel.org stable trees for versions 6.12.78, 6.18.19, 6.19.9, and mainline 7.0. EPSS score of 0.02% (5th percentile) indicates minimal observed exploitation activity. No public exploit code or active exploitation (not in CISA KEV) confirmed at time of analysis.

Technical ContextAI

This vulnerability affects the Industrial I/O (IIO) subsystem in the Linux kernel, specifically the HX9023S proximity sensor driver used for capacitive touch/proximity detection. The flaw exists in the set_samp_freq function where user-supplied sampling frequency values are not validated before being used as a divisor. CWE-369 (Divide By Zero) occurs when userspace attempts to configure sensor sampling rates through sysfs attributes without proper input validation. The affected code path is triggered through standard IIO framework interfaces that allow privileged users to tune sensor parameters. The HX9023S is a low-power capacitive proximity sensor commonly found in embedded Linux systems, smartphones, and IoT devices. CPE strings indicate the vulnerability spans multiple kernel version branches starting from commit 60df548277b7281171f51b87b214ab6717fc6101 through kernel 6.12 and affects systems where the hx9023s driver module is loaded.

RemediationAI

Apply vendor-released kernel patches immediately for affected stable branches: upgrade to Linux 6.12.78 or later for 6.12.x series, 6.18.19 or later for 6.18.x series, 6.19.9 or later for 6.19.x series, or mainline 7.0 or later. Patches available at kernel.org stable repository via commit links provided in CVE references (https://git.kernel.org/stable/c/451ec5e67444f8460f9706a1bde146b5bbc86ce6 and associated commits). For systems unable to apply kernel updates immediately, compensating controls include: disable the hx9023s kernel module via modprobe blacklist if the HX9023S sensor hardware is not operationally required (trade-off: loss of proximity sensor functionality), restrict access to /sys/bus/iio/devices/ sysfs attributes to root only via chmod/chown (trade-off: breaks applications expecting standard IIO permissions), or implement mandatory access control policies (SELinux/AppArmor) to prevent untrusted local users from writing to IIO device sampling frequency attributes (trade-off: requires custom policy development and testing). Verify patch application by checking kernel version with uname -r and confirming presence of fixed commits in kernel git log.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43354 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy