VYPR
← All advisories
High severity7.1NVD Advisory· Published May 1, 2026· Updated May 12, 2026

CVE-2026-43005

CVE-2026-43005

Description

In the Linux kernel, the following vulnerability has been resolved:

hwmon: (tps53679) Fix array access with zero-length block read

i2c_smbus_read_block_data() can return 0, indicating a zero-length read. When this happens, tps53679_identify_chip() accesses buf[ret - 1] which is buf[-1], reading one byte before the buffer on the stack.

Fix by changing the check from "ret < 0" to "ret <= 0", treating a zero-length read as an error (-EIO), which prevents the out-of-bounds array access.

Also fix a typo in the adjacent comment: "if present" instead of duplicate "if".

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel's TPS53679 hardware monitor driver, a zero-length block read can cause an out-of-bounds array access, leading to a potential crash or information leak.

Vulnerability

In the Linux kernel's hwmon subsystem, the tps53679 driver contains an out-of-bounds array access vulnerability in the tps53679_identify_chip() function. The function calls i2c_smbus_read_block_data(), which can return 0 to indicate a zero-length read. When this happens, the code accesses buf[ret - 1], which becomes buf[-1], reading one byte before the stack-allocated buffer [1].

Exploitation

An attacker who can control the I2C bus response (e.g., through a malicious peripheral or by manipulating the hardware) can trigger a zero-length block read. No special privileges are required beyond the ability to interact with the I2C device. The out-of-bounds read occurs on the kernel stack, potentially leaking sensitive data or causing a crash.

Impact

Successful exploitation could lead to information disclosure (reading kernel stack memory) or a denial of service (system crash). The CVSS v3 score is 7.1 (High), reflecting the potential for significant impact with low attack complexity.

Mitigation

The fix changes the error check from ret < 0 to ret <= 0, treating a zero-length read as an error (-EIO), which prevents the out-of-bounds access. The patch has been applied to the stable kernel tree [1][2][3]. Users should update to a kernel version containing this fix.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

9
  • Linux/Kernelinferred9 versions
    (expand)+ 8 more
    • (no CPE)
    • cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.17.1,<6.18.22
    • cpe:2.3:o:linux:linux_kernel:6.17:-:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

News mentions

0

No linked articles in our index yet.