CVE-2026-43380
Description
In the Linux kernel, the following vulnerability has been resolved:
hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read
The q54sj108a2_debugfs_read function suffers from a stack buffer overflow due to incorrect arguments passed to bin2hex(). The function currently passes 'data' as the destination and 'data_char' as the source.
Because bin2hex() converts each input byte into two hex characters, a 32-byte block read results in 64 bytes of output. Since 'data' is only 34 bytes (I2C_SMBUS_BLOCK_MAX + 2), this writes 30 bytes past the end of the buffer onto the stack.
Additionally, the arguments were swapped: it was reading from the zero-initialized 'data_char' and writing to 'data', resulting in all-zero output regardless of the actual I2C read.
Fix this by: 1. Expanding 'data_char' to 66 bytes to safely hold the hex output. 2. Correcting the bin2hex() argument order and using the actual read count. 3. Using a pointer to select the correct output buffer for the final simple_read_from_buffer call.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Linux kernel hwmon pmbus/q54sj108a2 driver, debugfs read function has stack buffer overflow due to swapped bin2hex arguments, potentially exploitable for privilege escalation.
Vulnerability
The q54sj108a2_debugfs_read function in the Linux kernel's hwmon subsystem contains a stack buffer overflow caused by incorrect usage of the bin2hex() function. The function passes arguments in the wrong order, writing hex output to a buffer (data) that is only 34 bytes, while bin2hex() produces 64 bytes for a 32-byte input. This results in overwriting 30 bytes beyond the buffer on the stack. Additionally, the source buffer was zero-initialized, causing all-zero output regardless of actual I2C data [1].
Exploitation
Exploitation requires the ability to read a debugfs file exposed by the q54sj108a2 driver. Since debugfs is typically accessible only to users with root privileges or those in the appropriate group, the attacker needs local access and sufficient permissions. The overflow occurs during a read operation, which could corrupt adjacent stack memory, potentially leading to control-flow hijacking or privilege escalation.
Impact
An attacker who can perform the debugfs read may cause a kernel stack buffer overflow. This could lead to arbitrary code execution in kernel context, system crash (denial of service), or information disclosure. The severity is high due to the potential for privilege escalation.
Mitigation
The fix expands the destination buffer to 66 bytes, corrects the argument order, and uses the actual read count. It was committed to the Linux kernel stable tree [1]. Users should apply the patch or update to a kernel version containing the fix.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/24a7b9daa103fa963b3fd37d8805b23e01621976nvd
- git.kernel.org/stable/c/25dd70a03b1f5f3aa71e1a5091ecd9cd2a13ee43nvd
- git.kernel.org/stable/c/52db5ef163c96f916d424e472fb17aadc35a9f7anvd
- git.kernel.org/stable/c/73a7a345816946d276ad2c46c8bb771de67cfc46nvd
- git.kernel.org/stable/c/a0fc1b9c738fba231f190ab960c83202722efee5nvd
- git.kernel.org/stable/c/b48a0f8d4541a4f6651dc9a64430ce9fdf5c120bnvd
- git.kernel.org/stable/c/c59090c50f62a17129fc4c5407bc4071305a9e82nvd
News mentions
0No linked articles in our index yet.