Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Local driver interaction requires low-privilege user access; no confidentiality or integrity impact; kernel panic yields high availability impact.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
platform/x86: dell-wmi-sysman: bound enumeration string aggregation
populate_enum_data() aggregates firmware-provided value-modifier and possible-value strings into fixed 512-byte struct members. The current code bounds each individual source string but then appends every string and separator with raw strcat() and no remaining-space check.
Switch the aggregation loops to a bounded append helper and reject enumeration packages whose combined strings do not fit in the destination buffers.
[ij: add include]
AnalysisAI
Unbounded string concatenation in the Linux kernel's Dell WMI BIOS interface driver (dell-wmi-sysman) allows a local low-privileged attacker on Dell hardware to crash the kernel. The populate_enum_data() function bounds each individual firmware-provided string but applies no remaining-space check during cumulative strcat() calls into fixed 512-byte struct members, enabling a buffer overflow that results in complete system availability loss. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires: (1) physical or remote shell access as any low-privileged local user on the target system; (2) Dell x86 hardware where the dell-wmi-sysman kernel module is loaded (typical on Dell laptops, desktops, and workstations running Linux); (3) BIOS firmware that exposes enumeration attributes whose combined value-modifier or possible-value string lengths exceed 512 bytes - this is a firmware data condition and may not be universally reproducible across all Dell BIOS versions. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 score of 5.5 (Medium, AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) accurately characterizes this as a local availability-only vulnerability requiring low privileges. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged local user on a Dell system running a vulnerable kernel version accesses sysfs firmware attribute files exposed by the dell-wmi-sysman driver; if the Dell BIOS firmware provides enumeration packages with combined value-modifier or possible-value strings exceeding 512 bytes, the unbounded strcat() overflow corrupts adjacent kernel memory and triggers a kernel panic, causing immediate system reboot or hang. No public proof-of-concept exists at time of analysis, but the deterministic nature of the overflow (fixed buffer, predictable layout) means a technically capable attacker with local access could craft or induce the triggering condition. |
| Remediation | The primary fix is to upgrade to a patched Linux kernel release: 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, or 7.1 (mainline). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
SQL injection vulnerability in d4d/statusFilter.php in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.2
The ViewPoint web application in Dell SonicWALL Global Management System (GMS) before 7.2 SP2, SonicWALL Analyzer before
The MySQL component in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) 9.0.1.19899 and earlier has a default passwor
Multiple SQL injection vulnerabilities in Dell SonicWall Scrutinizer 11.0.1 allow remote authenticated users to execute
Dell RecoverPoint for Virtual Machines prior to 6.0.3.1 HF1 contains hardcoded credentials (CVE-2026-22769, CVSS 10.0) t
An unrestricted file upload vulnerability exists in Dell (acquired by Quest) KACE K1000 System Management Appliance vers
cgi-bin/admin.cgi in the web console in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.0 does not requir
The IPMI 1.5 functionality in Dell iDRAC6 modular before 3.65, iDRAC6 monolithic before 1.98, and iDRAC7 before 1.57.57
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of EMC Data Protection
d4d/uploader.php in the web console in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.0 allows remote at
Dell dbutil_2_3.sys driver contains an insufficient access control vulnerability which may lead to escalation of privile
Dell Unity, version(s) 5.5 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38890
GHSA-43hp-gwh9-j233