Skip to main content

Linux Kernel EUVDEUVD-2026-26560

| CVE-2026-31747 HIGH
Out-of-bounds Write (CWE-787)
2026-05-01 Linux
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 07, 2026 - 19:38 vuln.today
CVSS changed
May 07, 2026 - 19:37 NVD
7.8 (HIGH)
Patch available
May 01, 2026 - 16:02 EUVD
Patch released
May 01, 2026 - 15:24 nvd
Patch available
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26560
CVE Published
May 01, 2026 - 14:14 nvd
HIGH 7.8
CVE Published
May 01, 2026 - 14:14 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

comedi: me4000: Fix potential overrun of firmware buffer

me4000_xilinx_download() loads the firmware that was requested by request_firmware(). It is possible for it to overrun the source buffer because it blindly trusts the file format. It reads a data stream length from the first 4 bytes into variable file_length and reads the data stream contents of length file_length from offset 16 onwards.

Add a test to ensure that the supplied firmware is long enough to contain the header and the data stream. On failure, log an error and return -EINVAL.

Note: The firmware loading was totally broken before commit ac584af59945 ("staging: comedi: me4000: fix firmware downloading"), but that is the most sensible target for this fix.

AnalysisAI

Out-of-bounds write in Linux kernel comedi me4000 driver firmware loader allows local authenticated users to achieve high-impact code execution, data corruption, or system crash. The me4000_xilinx_download() function blindly trusts firmware file format headers without validating buffer boundaries, reading a length field from the first 4 bytes and then reading that many bytes from offset 16 without checking total file size. Patch available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (7th percentile) indicates very low observed exploitation probability despite CVSS 7.8 rating. No public exploit code or active exploitation confirmed.

Technical ContextAI

This vulnerability affects the comedi subsystem's me4000 driver (drivers/comedi/me4000.c), specifically the me4000_xilinx_download() function responsible for loading FPGA firmware via the kernel's request_firmware() interface. The root cause is CWE-787 (Out-of-bounds Write), a classic buffer overflow where untrusted input (firmware file length header) controls memory operations without validation. The function reads a 4-byte file_length value from the firmware blob, then attempts to copy file_length bytes starting at offset 16 into kernel memory without verifying that (16 + file_length) <= actual_firmware_size. This creates a kernel heap buffer overflow condition. The me4000 driver supports Meilhaus Electronic data acquisition cards using Xilinx FPGAs, a niche hardware category primarily deployed in industrial control and scientific instrumentation environments. The vulnerability was introduced in commit ac584af59945 which fixed prior firmware loading issues but failed to add length validation. CPE strings indicate broad Linux kernel exposure across versions since 3.19, though practical impact is limited to systems with me4000 hardware and loaded driver module.

RemediationAI

Upgrade to patched Linux kernel versions: 5.10.253+ for 5.10.x series, 5.15.203+ for 5.15.x, 6.1.168+ for 6.1.x, 6.6.134+ for 6.6.x, 6.12.81+ for 6.12.x, 6.18.22+ for 6.18.x, 6.19.12+ for 6.19.x, or 7.0+ for mainline. Distribution-specific updates are available through normal package management channels. Backport commits are referenced at git.kernel.org/stable URLs listed in references section. For systems unable to immediately patch, specific compensating controls include: (1) Unload or blacklist the me4000 kernel module if me4000 hardware is not actively used (add 'blacklist me4000' to /etc/modprobe.d/blacklist.conf) - this completely eliminates the attack surface with no side effects if hardware is unused; (2) Restrict access to /sys/class/firmware and firmware loading paths to root-only using filesystem permissions and SELinux/AppArmor policies - note this may interfere with legitimate firmware loading for other devices during hotplug events; (3) Deploy kernel lockdown mode (integrity or confidentiality level) to restrict unsigned firmware loading - this affects all firmware operations system-wide, not just me4000, and may break hardware requiring unsigned firmware. Trade-offs: module blacklisting is safest with minimal side effects; firmware path restrictions require careful testing; kernel lockdown has broad system impact. Verify patch application by checking kernel version with 'uname -r' and confirming it matches patched releases.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-26560 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy