Skip to main content

Linux Kernel EUVDEUVD-2026-28686

| CVE-2026-43380 HIGH
Out-of-bounds Read (CWE-125)
2026-05-08 Linux GHSA-7c6h-fgvg-xw96
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Updated
May 20, 2026 - 17:30 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 20, 2026 - 17:22 vuln.today
cvss_changed
CVSS changed
May 20, 2026 - 17:22 NVD
7.1 (HIGH) 7.8 (HIGH)
Analysis Generated
May 19, 2026 - 20:07 vuln.today
CVSS changed
May 19, 2026 - 20:07 NVD
7.1 (HIGH)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:21 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read

The q54sj108a2_debugfs_read function suffers from a stack buffer overflow due to incorrect arguments passed to bin2hex(). The function currently passes 'data' as the destination and 'data_char' as the source.

Because bin2hex() converts each input byte into two hex characters, a 32-byte block read results in 64 bytes of output. Since 'data' is only 34 bytes (I2C_SMBUS_BLOCK_MAX + 2), this writes 30 bytes past the end of the buffer onto the stack.

Additionally, the arguments were swapped: it was reading from the zero-initialized 'data_char' and writing to 'data', resulting in all-zero output regardless of the actual I2C read.

Fix this by:

  1. Expanding 'data_char' to 66 bytes to safely hold the hex output.
  2. Correcting the bin2hex() argument order and using the actual read count.
  3. Using a pointer to select the correct output buffer for the final

simple_read_from_buffer call.

AnalysisAI

Stack buffer overflow in the Linux kernel's pmbus/q54sj108a2 hwmon driver allows local privileged users to corrupt kernel stack memory by reading from a specific debugfs entry. The flaw stems from a misuse of bin2hex() that writes 64 bytes of hex-encoded output into a 34-byte stack buffer, overflowing it by 30 bytes; no public exploit identified at time of analysis and EPSS exploitation probability is negligible at 0.03% (9th percentile).

Technical ContextAI

The affected component is drivers/hwmon/pmbus/q54sj108a2.c, the Linux kernel driver for the Delta Electronics Q54SJ108A2 power module exposed via PMBus over I2C. The bug class (CWE-125, out-of-bounds read paired here with an out-of-bounds write) arises in q54sj108a2_debugfs_read(): bin2hex() doubles the size of each input byte when encoding to hex, so a 32-byte I2C SMBUS block (I2C_SMBUS_BLOCK_MAX) produces 64 hex bytes, but the destination 'data' buffer was sized I2C_SMBUS_BLOCK_MAX+2 = 34 bytes. The arguments were also swapped, so the routine read from a zero-initialized scratch buffer and wrote past the end of 'data' on the kernel stack, both leaking constant data to userspace and corrupting adjacent stack frames.

RemediationAI

Vendor-released patch: upgrade to Linux 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, or later within each respective stable series, or pick up the stable backport commits referenced at git.kernel.org/stable/c/24a7b9daa103fa963b3fd37d8805b23e01621976 and the companion commits (a0fc1b9c738f, c59090c50f62, 52db5ef163c9, b48a0f8d4541, 25dd70a03b1f, 73a7a3458169). Where immediate kernel update is not possible, unload or blacklist the q54sj108a2 module if the Delta Q54SJ108A2 power module is not present (most general-purpose systems do not need it), or restrict access to /sys/kernel/debug by tightening debugfs mount permissions (defaults to mode 0700 root-only - verify it has not been relaxed); the trade-off is loss of low-level hwmon diagnostics for that part. CONFIG_DEBUG_FS=n at build time eliminates the attack surface entirely but disables debugfs system-wide, which many tracing and diagnostic tools depend on.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-28686 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy