Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Local, low-privilege, low-complexity access to Tegra hardware (AV:L/AC:L/PR:L); out-of-bounds read can leak kernel memory (C:H) and crash the system (A:H) with no integrity impact (I:N).
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
soc/tegra: cbb: Fix incorrect ARRAY_SIZE in fabric lookup tables
Fix incorrect ARRAY_SIZE usage in fabric lookup tables which could cause out-of-bounds access during target timeout lookup.
AnalysisAI
Out-of-bounds memory access in the Linux kernel's NVIDIA Tegra Control Backbone (CBB) driver (soc/tegra: cbb) stems from an incorrect ARRAY_SIZE calculation in the fabric lookup tables, which can be triggered during a target timeout lookup on Tegra-based systems. A local, low-privileged attacker on affected Tegra hardware could read out-of-bounds kernel memory (information disclosure) or crash the system (denial of service), with CVSS 7.1. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local access with at least low privileges (CVSS PR:L, AV:L) on a system running the NVIDIA Tegra CBB driver - i.e., the kernel must be built with Tegra SoC support AND running on Tegra hardware; the bug cannot be reached on non-Tegra systems regardless of kernel version. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are largely consistent and point to a real-but-not-urgent issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who already has a low-privileged local account or code execution on a Tegra-based device (e.g., a Jetson board, automotive head unit, or embedded appliance) induces a control-backbone transaction timeout, causing the CBB driver to perform an out-of-bounds lookup that reads adjacent kernel memory or triggers a kernel fault. This could leak sensitive kernel data toward a privilege-escalation chain or simply crash the device (DoS). … |
| Remediation | Vendor-released patch: update to a fixed stable kernel - 6.18.33, 7.0.10, or 7.1 or later (the fix is also backported to the relevant stable trees via commits f46870b4..., 5c009a5f..., and 499f7e5e... … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all systems running Linux kernels on NVIDIA Tegra hardware and verify current kernel versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38912
GHSA-24hf-c9jr-vvfw