VYPR
← All advisories
Unrated severityNVD Advisory· Published May 21, 2026

CVE-2026-43495

CVE-2026-43495

Description

In the Linux kernel, the following vulnerability has been resolved:

net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler

t7xx_port_enum_msg_handler() uses the modem-supplied port_count field as a loop bound over port_msg->data[] without checking that the message buffer contains sufficient data. A modem sending port_count=65535 in a 12-byte buffer triggers a slab-out-of-bounds read of up to 262140 bytes.

Add a sizeof(*port_msg) check before accessing the port message header fields to guard against undersized messages.

Add a struct_size() check after extracting port_count and before the loop.

In t7xx_parse_host_rt_data(), guard the rt_feature header read with a remaining-buffer check before accessing data_len, validate feat_data_len against the actual remaining buffer to prevent OOB reads and signed integer overflow on offset.

Pass msg_len from both call sites: skb->len at the DPMAIF path after skb_pull(), and the validated feat_data_len at the handshake path.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel's t7xx WWAN driver, missing buffer-length checks in port enumeration message handling allow a malicious modem to trigger a slab-out-of-bounds read via a crafted port_count field.

Vulnerability

The Linux kernel's t7xx WWAN driver contains an out-of-bounds read vulnerability in the t7xx_port_enum_msg_handler() function. When handling a port enumeration message from the modem, the function uses the modem-supplied port_count field as a loop bound over port_msg->data[] without verifying that the message buffer contains sufficient data. A modem can send a short message (e.g., 12 bytes) with port_count=65535, which causes a slab-out-of-bounds read of up to 262140 bytes. Additionally, in t7xx_parse_host_rt_data(), insufficient validation of feat_data_len can lead to out-of-bounds reads and signed integer overflow on offset calculations. The affected kernels are those prior to the commits that apply the fixes (see references [1], [2]).

Exploitation

An attacker must have control over the modem device connected to a system using the t7xx driver. No authentication or special privileges are required beyond physical or logical access to the modem. The attacker sends a crafted port enumeration message that specifies a large port_count value while the actual message buffer is small. The driver then iterates beyond the buffer bounds, reading memory that was not part of the intended data.

Impact

Successful exploitation results in a slab-out-of-bounds read, which can leak sensitive kernel memory contents to the attacker. This could lead to information disclosure of kernel addresses or other secrets. The vulnerability does not grant code execution directly, but the leaked information may aid further attacks.

Mitigation

Fix commits are available in the Linux kernel stable branches. Reference [1] (commit 0e7c074cfcd9) and reference [2] (commit 2b56d7903ab8) address the issue by adding appropriate buffer-length checks. Users should update to kernel versions containing these fixes. No CISA KEV listing has been issued at the time of writing.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

10
dd4f4c93c148
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitFixed in 7.0.7via kernel-cna
commit
2b56d7903ab8
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitFixed in 6.18.30via kernel-cna
commit
f94450ce5053
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitFixed in 6.6.140via kernel-cna
commit
9855e063e063
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitFixed in 6.12.88via kernel-cna
commit
0e7c074cfcd9
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitFixed in 7.1-rc3via kernel-cna
commit
9855e063e063
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitvia nvd-ref
commit
f94450ce5053
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitvia nvd-ref
commit
dd4f4c93c148
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitvia nvd-ref
commit
2b56d7903ab8
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitvia nvd-ref
commit
0e7c074cfcd9
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitvia nvd-ref
commit

Vulnerability mechanics

Root cause

"Missing length validation in t7xx_port_enum_msg_handler() allows a modem-supplied port_count to cause out-of-bounds reads; additionally, t7xx_parse_host_rt_data() lacks buffer-bound checks before accessing feature data, enabling OOB reads and signed integer overflow."

Attack vector

An attacker with control over a malicious or compromised modem sends an undersized port enumeration message (e.g., 12 bytes) with port_count set to a large value like 65535. The driver uses this unchecked port_count as a loop bound over port_msg->data[], reading up to 262140 bytes beyond the slab-allocated buffer. Similarly, in the runtime feature handshake path, a crafted message with a large feat_data_len can trigger out-of-bounds reads or a signed integer overflow on offset calculations [patch_id=1215893][patch_id=1215894][patch_id=1215895][patch_id=1215896]. No authentication is required beyond the modem's ability to send control messages over the WWAN interface.

Affected code

The vulnerability resides in t7xx_port_enum_msg_handler() in the WWAN T7xx driver, where the modem-supplied port_count field is used as a loop bound without validating it against the actual message buffer length. Additionally, t7xx_parse_host_rt_data() lacks buffer-bound checks before accessing rt_feature header fields and uses feat_data_len without validating it against the remaining buffer.

What the fix does

The patch adds a sizeof(*port_msg) check before accessing port message header fields to reject undersized messages [patch_id=1215893][patch_id=1215888]. After extracting port_count, a struct_size() check ensures the claimed port_count fits within the actual message length before entering the loop [patch_id=1215894][patch_id=1215890]. In t7xx_parse_host_rt_data(), a remaining-buffer check guards the rt_feature header read, feat_data_len is validated against the remaining buffer, and msg_len is passed from both call sites (skb->len after skb_pull() at the DPMAIF path, and the validated feat_data_len at the handshake path) to prevent OOB reads and signed integer overflow [patch_id=1215895][patch_id=1215896][patch_id=1215891][patch_id=1215892].

Preconditions

  • networkAttacker must control or compromise the modem connected to the host via the WWAN interface.
  • inputModem must send a crafted port enumeration message with a large port_count value in a small buffer, or a crafted runtime feature message with a large feat_data_len.

Generated on May 21, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.