Skip to main content

Linux Kernel EUVDEUVD-2026-32297

| CVE-2026-46001 HIGH
Out-of-bounds Write (CWE-787)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-j98c-q2pf-9m22
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
6.0 MEDIUM

Triggering requires a malicious I2C peripheral on a system with the pt5161l driver loaded, so AV:L/AC:H/PR:H; kernel stack corruption gives high integrity/availability impact with limited direct confidentiality.

3.1 AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:H
4.0 AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 15:38 vuln.today
CVSS changed
Jun 16, 2026 - 15:37 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.8
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

hwmon: (pt5161l) Fix bugs in pt5161l_read_block_data()

Fix two bugs in pt5161l_read_block_data():

  1. Buffer overrun: The local buffer rbuf is declared as u8 rbuf[24],

but i2c_smbus_read_block_data() can return up to I2C_SMBUS_BLOCK_MAX (32) bytes. The i2c-core copies the data into the caller's buffer before the return value can be checked, so the post-read length validation does not prevent a stack overrun if a device returns more than 24 bytes. Resize the buffer to I2C_SMBUS_BLOCK_MAX.

  1. Unexpected positive return on length mismatch: When all three

retries are exhausted because the device returns data with an unexpected length, i2c_smbus_read_block_data() returns a positive byte count. The function returns this directly, and callers treat any non-negative return as success, processing stale or incomplete buffer contents. Return -EIO when retries are exhausted with a positive return value, preserving the negative error code on I2C failure.

AnalysisAI

Stack buffer overrun in the Linux kernel's pt5161l hwmon driver allows a malicious or malfunctioning I2C device to write up to 32 bytes into a 24-byte stack buffer during pt5161l_read_block_data(), corrupting kernel memory. The flaw affects Linux 6.9 through versions before the stable fixes, and a secondary bug causes the driver to process stale data as valid when retries are exhausted with a length mismatch. EPSS is very low (0.02%) and no public exploit identified at time of analysis.

Technical ContextAI

The pt5161l driver is a hardware monitor (hwmon) for Astera Labs PT5161L PCIe retimers communicated with over the I2C/SMBus subsystem. The root cause is CWE-787 (out-of-bounds write): pt5161l_read_block_data() declares a 24-byte stack buffer (u8 rbuf[24]) and passes it to i2c_smbus_read_block_data(), which can copy up to I2C_SMBUS_BLOCK_MAX (32) bytes from the device into the buffer before the caller can validate the returned length, producing a deterministic 8-byte stack overrun if the device returns more than 24 bytes. A second logic bug returns the positive byte count from the underlying I2C call when all three retries fail with a length mismatch, so callers treating any non-negative value as success consume stale buffer contents.

RemediationAI

Upstream fix available via the four referenced git.kernel.org commits; vendor-released patches are present in stable kernels 6.12.86, 6.18.27, 7.0.4, and 7.1-rc1, so upgrade to one of those (or a downstream distro kernel that has backported the fix) - see https://git.kernel.org/stable/c/24c73e93d6a756e1b8626bb259d2e07c5b89b370 and the companion commits. As a compensating control on unpatched systems that do not need the driver, blacklist the pt5161l module (echo 'blacklist pt5161l' to /etc/modprobe.d/) which eliminates the attack surface at the cost of losing PCIe retimer telemetry; on systems that do require it, restrict physical and management-bus access so untrusted I2C devices cannot be attached, since the overrun is triggered by a non-compliant device on the bus.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

EUVD-2026-32297 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy