Skip to main content

Linux Kernel EUVDEUVD-2026-30012

| CVE-2026-43476 HIGH
2026-05-13 Linux GHSA-qqrc-59pp-4p3j
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
MEDIUM
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 20, 2026 - 19:30 vuln.today
CVSS changed
May 20, 2026 - 17:22 NVD
7.8 (HIGH)
Patch available
May 13, 2026 - 16:33 EUVD
CVE Published
May 13, 2026 - 15:08 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas()

sizeof(num) evaluates to sizeof(size_t) (8 bytes on 64-bit) instead of the intended __be32 element size (4 bytes). Use sizeof(*meas) to correctly match the buffer element type.

AnalysisAI

Local privilege escalation potential exists in the Linux kernel's IIO chemical sensor subsystem, specifically the sps30_i2c driver, where an incorrect sizeof() calculation in sps30_i2c_read_meas() uses sizeof(size_t) instead of sizeof(*meas), creating a buffer size mismatch. Affecting Linux kernel versions from 5.14 onward, the flaw could lead to memory corruption or out-of-bounds access when handling measurement data from Sensirion SPS30 particulate matter sensors over I2C. EPSS is very low at 0.02% and there is no public exploit identified at time of analysis, but a CVSS of 7.8 reflects high local impact on confidentiality, integrity, and availability.

Technical ContextAI

The vulnerability resides in drivers/iio/chemical/sps30_i2c.c, the Linux Industrial I/O (IIO) driver for the Sensirion SPS30 particulate matter sensor connected via I2C. The driver reads measurement data into a buffer of __be32 elements, but the bug used sizeof(num) - where num is a size_t (8 bytes on 64-bit, 4 bytes on 32-bit) - instead of sizeof(*meas), which is the intended 4-byte big-endian element size. This sizing mismatch produces an incorrect buffer length calculation, a classic CWE-131 (Incorrect Calculation of Buffer Size) / CWE-805 (Buffer Access with Incorrect Length Value) class of defect, leading to potential out-of-bounds reads or writes during sensor data processing. The CWE field is marked N/A in the source data, but the bug pattern aligns with these calculation-error weaknesses.

RemediationAI

Vendor-released patch: upgrade to a fixed Linux stable kernel - 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, or 7.0 or later - depending on which stable branch you track. Distribution-specific kernel updates carrying these backports should be applied via the normal package manager once available (Debian/Ubuntu/RHEL/SUSE security trackers). The upstream fixes are available as commits at https://git.kernel.org/stable/c/9aff2e9c2927ecd9652872a43a0725f101128104, https://git.kernel.org/stable/c/08881d82f94deaa51800360029908863e5c4c39d, https://git.kernel.org/stable/c/dcdf1e92674efb6692f4ebe189e0aa9fde23a541, https://git.kernel.org/stable/c/2a4d111a6a34afb8bb4f118009e7728ed2ec7e10, https://git.kernel.org/stable/c/90e978ace598567e6e30de79805bddf37cf892ac, https://git.kernel.org/stable/c/165f12b40901c6a7aca15796da239726ddcdc5ad, and https://git.kernel.org/stable/c/216345f98cae7fcc84f49728c67478ac00321c87. As a compensating control until patched kernels are deployed, blacklist the sps30_i2c module via /etc/modprobe.d (e.g., 'blacklist sps30_i2c') on systems that do not actually require SPS30 sensor support - the trade-off is loss of particulate-matter sensor functionality on hardware that uses it. Restricting local low-privilege user access to systems with the driver loaded further reduces exposure, since the attack vector is local.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-30012 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy