Skip to main content

Linux Kernel EUVDEUVD-2026-31271

| CVE-2026-43495 HIGH
Out-of-bounds Read (CWE-125)
2026-05-21 Linux GHSA-mhw6-p52x-6vxv
8.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
8.8 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 13:28 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
8.8 (HIGH)
Patch available
May 21, 2026 - 13:01 EUVD
CVE Published
May 21, 2026 - 12:12 nvd
UNKNOWN (no severity yet)
CVE Published
May 21, 2026 - 12:12 nvd
HIGH 8.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler

t7xx_port_enum_msg_handler() uses the modem-supplied port_count field as a loop bound over port_msg->data[] without checking that the message buffer contains sufficient data. A modem sending port_count=65535 in a 12-byte buffer triggers a slab-out-of-bounds read of up to 262140 bytes.

Add a sizeof(*port_msg) check before accessing the port message header fields to guard against undersized messages.

Add a struct_size() check after extracting port_count and before the loop.

In t7xx_parse_host_rt_data(), guard the rt_feature header read with a remaining-buffer check before accessing data_len, validate feat_data_len against the actual remaining buffer to prevent OOB reads and signed integer overflow on offset.

Pass msg_len from both call sites: skb->len at the DPMAIF path after skb_pull(), and the validated feat_data_len at the handshake path.

AnalysisAI

Slab-out-of-bounds read in the Linux kernel's t7xx WWAN driver allows a malicious or compromised MediaTek modem to leak up to 262140 bytes of kernel memory by sending a crafted port enumeration message with an inflated port_count field. The flaw affects systems using the t7xx driver (e.g., laptops with MediaTek 5G M.2 modems such as the FM350-GL) and has no public exploit identified at time of analysis, with an EPSS score of 0.02% indicating very low predicted exploitation activity.

Technical ContextAI

The bug lives in drivers/net/wwan/t7xx, the in-tree driver for MediaTek T700-series PCIe 5G WWAN modems. The t7xx_port_enum_msg_handler() function trusts a 16-bit port_count value supplied by the modem firmware and iterates over port_msg->data[] without verifying that the underlying sk_buff contains enough bytes, while t7xx_parse_host_rt_data() similarly dereferences rt_feature headers and uses feat_data_len as a signed offset without bounds checking. The root cause is a classic missing input validation pattern (CWE-125 out-of-bounds read / CWE-1284 improper validation of length parameter) on a data buffer received from a peripheral device; the patch introduces sizeof(*port_msg), struct_size(), and remaining-buffer checks and threads msg_len through both call sites.

RemediationAI

Vendor-released patch: upgrade to Linux 6.6.140, 6.12.88, 6.18.30, 7.0.7, or 7.1-rc3 (or any later release in those series) which contain the t7xx bounds-checking fix; the corresponding stable commits are linked at https://git.kernel.org/stable/c/f94450ce5053b36002995b72d1fa1db3bb08c5bf and siblings 9855e063e063, 2b56d7903ab8, dd4f4c93c148, and 0e7c074cfcd9. For distributions that have not yet shipped a backport, pull the upstream commits manually or wait for the distro kernel update (Debian, Ubuntu, RHEL, SUSE all track stable). As a compensating control on systems that do not need MediaTek WWAN connectivity, blacklist the t7xx module (echo 'blacklist mtk_t7xx' > /etc/modprobe.d/blacklist-t7xx.conf && update-initramfs -u) which removes the attack surface entirely at the cost of disabling any built-in 5G modem; physical-access-only deployments can also unbind the device via /sys/bus/pci/drivers/mtk_t7xx/unbind, accepting loss of cellular connectivity.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed

Share

EUVD-2026-31271 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy