Skip to main content

Linux Kernel CVE-2026-46332

| EUVDEUVD-2026-35432 HIGH
Classic Buffer Overflow (CWE-120)
2026-06-09 Linux GHSA-hf99-m7vw-4p34
8.0
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
8.0 HIGH
AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Serdev/UART link to an on-board CC1352 is effectively local (AV:L); shaping a multi-chunk overflow during a bootloader handshake is non-trivial (AC:H); no kernel auth needed (PR:N) but bootloader flow must be entered (UI:R).

3.1 AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
6.4 MEDIUM
AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 14, 2026 - 06:38 vuln.today
CVSS changed
Jun 14, 2026 - 06:22 NVD
8.0 (HIGH)
Patch available
Jun 09, 2026 - 15:01 EUVD
CVE Published
Jun 09, 2026 - 12:36 cve.org
HIGH 8.0
CVE Published
Jun 09, 2026 - 12:36 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

greybus: gb-beagleplay: bound bootloader receive buffering

cc1352_bootloader_rx() appends each serdev chunk into the fixed rx_buffer before parsing bootloader packets. The helper can keep leftover bytes between callbacks and may receive multiple packets in one callback, so a single count value is not constrained by one packet length.

Check that the incoming chunk fits in the remaining receive buffer space before memcpy(). If it does not, drop the staged data and consume the bytes instead of overflowing rx_buffer.

AnalysisAI

Buffer overflow in the Linux kernel's greybus gb-beagleplay driver allows an adjacent attacker with control over the cc1352 bootloader serial data stream to overflow the fixed rx_buffer used to stage bootloader packets. The cc1352_bootloader_rx() handler appends serdev chunks without validating they fit in remaining buffer space, enabling memory corruption with high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02%.

Technical ContextAI

The vulnerability resides in drivers/greybus/gb-beagleplay.c, the Greybus host driver for the BeaglePlay board that talks to a CC1352 radio coprocessor over a serdev (serial device) channel. The cc1352_bootloader_rx() callback receives chunks from the UART, accumulates them in a fixed-size rx_buffer, and then parses bootloader packets out of the buffered stream. Because the helper can retain leftover bytes between callbacks and may receive multiple packets per callback, the incoming chunk length is not bounded by a single packet size; without a remaining-space check, the memcpy() can write past the end of rx_buffer. The bug class is a classic out-of-bounds write in a kernel driver (CWE-787-style), specifically in the Linux greybus subsystem on BeaglePlay-class hardware (cpe:2.3:a:linux:linux).

RemediationAI

Vendor-released patch: upgrade the Linux kernel to 6.12.86, 6.18.27, 7.0.4, or 7.1-rc1 (or any later stable release that includes commits 663c2728, 0339a746, 1214bf28, or fb91d4e4), which add the remaining-space check before the memcpy() in cc1352_bootloader_rx() so oversized serdev chunks are dropped instead of overflowing rx_buffer; the upstream fixes are at https://git.kernel.org/stable/c/663c2728a6d0f781044431111b53a27f71027e48 and the three sibling commits listed in the references. On systems where an immediate kernel update is not possible, the only meaningful compensating control is to avoid loading the gb-beagleplay driver on hardware that does not need it (blacklist the module in /etc/modprobe.d/, accepting that BeaglePlay greybus connectivity to the CC1352 radio will be unavailable) and to restrict physical access to the UART/serdev link that feeds the bootloader receive path. There is no meaningful network-side mitigation since the data path is an on-board serial link.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

CVE-2026-46332 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy