Skip to main content

Linux Kernel CVE-2026-46286

| EUVDEUVD-2026-35151 MEDIUM
2026-06-08 Linux GHSA-5439-prm7-qcx4
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local access with low privileges needed to trigger driver path; only kernel crash is realistic impact, no confidentiality or integrity effect applies.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 08, 2026 - 22:02 vuln.today
CVSS changed
Jul 08, 2026 - 19:07 NVD
5.5 (MEDIUM)
Patch available
Jun 08, 2026 - 18:01 EUVD
CVE Published
Jun 08, 2026 - 15:41 nvd
MEDIUM 5.5
CVE Published
Jun 08, 2026 - 15:41 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

leds: qcom-lpg: Check for array overflow when selecting the high resolution

When selecting the high resolution values from the array, FIELD_GET() is used to pull from a 3 bit register, yet the array being indexed has only 5 values in it. Odds are the hardware is sane, but just to be safe, properly check before just overflowing and reading random data and then setting up chip values based on that.

AnalysisAI

Array out-of-bounds read in the Linux kernel's Qualcomm Light Pulse Generator (qcom-lpg) LED driver allows a local low-privileged user to crash the kernel via denial of service on affected Qualcomm SoC-based systems. The flaw stems from using FIELD_GET() to extract a 3-bit register value (range 0-7) as an index into an array with only 5 elements, enabling reads beyond array bounds and subsequent hardware misconfiguration or kernel panic. No public exploit has been identified and EPSS stands at the 5th percentile, placing this firmly in lower-priority triage despite the technically High availability impact per CVSS.

Technical ContextAI

The leds/qcom-lpg driver manages Qualcomm's Light Pulse Generator peripheral, used for LED control on Qualcomm SoC hardware (cpe:2.3:a:linux:linux). The vulnerability is in the high-resolution clock selection path, where FIELD_GET() extracts a 3-bit field from a hardware register. A 3-bit field produces values 0-7, but the lookup array for high-resolution values contains only 5 entries (indices 0-4). If the hardware register returns 5, 6, or 7 - whether due to unusual state, hardware fault, or attacker influence - the code reads past the end of the array into adjacent kernel memory and then programs chip registers based on that garbage data. While classified as CWE: N/A by the reporter, this is structurally a CWE-129 (Improper Validation of Array Index) and CWE-125 (Out-of-bounds Read) pattern. The fix adds a bounds check before array indexing.

RemediationAI

The primary fix is to upgrade to a patched Linux kernel version: 6.6.140, 6.12.86, 6.18.27, 7.0.4, or 7.1-rc1. Upstream stable commits are available at https://git.kernel.org/stable/c/28a2e047d03721e0517c67ee726eaa6621c30e5f (and related commits 36ce3094dc50598f38fd961b46688cd533940efc, 438e357b3cc6cd6900df271e4bc567bfe1142281, d45963a93c1495e9f1338fde91d0ebba8fd22474, f67a24e75d3251ba42538738120b6b659c0dca7d). Ubuntu users should apply USN-8488-1 or USN-8489-1 through the standard apt upgrade path. As a compensating control on systems that do not require Qualcomm LPG LED functionality, the module can be blacklisted by adding 'blacklist leds-qcom-lpg' to /etc/modprobe.d/blacklist.conf and regenerating initramfs - trade-off is loss of LED control on affected Qualcomm hardware. Systems without Qualcomm LPG hardware require no action as the driver will not be loaded.

Share

CVE-2026-46286 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy