Unrated severityNVD Advisory· Published Jun 9, 2026

CVE-2026-46332

Description

Linux kernel greybus driver has a buffer overflow vulnerability in gb-beagleplay, potentially allowing data corruption.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Linux kernel greybus driver has a buffer overflow vulnerability in gb-beagleplay, potentially allowing data corruption.

Vulnerability

The Linux kernel's greybus driver, specifically in the gb-beagleplay component, contains a vulnerability in the cc1352_bootloader_rx() function. This function appends serdev chunks to a fixed rx_buffer before parsing bootloader packets. The issue arises because the buffer can retain leftover bytes between callbacks, and a single callback might receive multiple packets, meaning the byte count is not constrained by a single packet's length. This can lead to an overflow of the rx_buffer.

Exploitation

An attacker would need to trigger the cc1352_bootloader_rx() function with specially crafted input. The vulnerability is triggered when an incoming chunk of data does not fit into the remaining space within the rx_buffer before a memcpy() operation occurs. This requires the ability to send data to the affected device that is processed by the greybus driver.

Impact

Successful exploitation of this vulnerability could lead to an overflow of the rx_buffer. This overflow can corrupt data within the buffer, potentially leading to denial of service or unpredictable behavior within the greybus subsystem. The exact impact depends on how the corrupted data is subsequently processed by the kernel.

Mitigation

This vulnerability has been resolved in the Linux kernel. The fix involves checking if the incoming chunk fits in the remaining receive buffer space before performing the memcpy() operation. If it does not fit, the staged data is dropped, and the bytes are consumed, preventing the overflow. The specific commit addressing this is available at [1] and [2]. No information regarding workarounds or end-of-life status for affected versions is available in the provided references.

References

AI Insight generated on Jun 9, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Google/Android SDKinferred
Linux/Kernelllm-fuzzy

Patches

0339a746ff7c

greybus: gb-beagleplay: bound bootloader receive buffering

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitPengpeng HouFixed in 7.0.4via kernel-cna

commit

1 file changed · +7 −1

drivers/greybus/gb-beagleplay.c+7 −1 modified

diff --git a/drivers/greybus/gb-beagleplay.c b/drivers/greybus/gb-beagleplay.c
index 87186f891a6ac..e70787146c4fa 100644
--- a/drivers/greybus/gb-beagleplay.c
+++ b/drivers/greybus/gb-beagleplay.c
@@ -535,6 +535,13 @@ static size_t cc1352_bootloader_rx(struct gb_beagleplay *bg, const u8 *data,
 	int ret;
 	size_t off = 0;
 
+	if (count > sizeof(bg->rx_buffer) - bg->rx_buffer_len) {
+		dev_warn(&bg->sd->dev,
+			 "dropping oversized bootloader receive chunk");
+		bg->rx_buffer_len = 0;
+		return count;
+	}
+
 	memcpy(bg->rx_buffer + bg->rx_buffer_len, data, count);
 	bg->rx_buffer_len += count;
 
-- 
cgit 1.3-korg

663c2728a6d0

greybus: gb-beagleplay: bound bootloader receive buffering

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitPengpeng HouFixed in 6.12.86via kernel-cna

commit

1 file changed · +7 −1

drivers/greybus/gb-beagleplay.c+7 −1 modified

diff --git a/drivers/greybus/gb-beagleplay.c b/drivers/greybus/gb-beagleplay.c
index 2a207eab40452..d33b6ce3948f4 100644
--- a/drivers/greybus/gb-beagleplay.c
+++ b/drivers/greybus/gb-beagleplay.c
@@ -535,6 +535,13 @@ static size_t cc1352_bootloader_rx(struct gb_beagleplay *bg, const u8 *data,
 	int ret;
 	size_t off = 0;
 
+	if (count > sizeof(bg->rx_buffer) - bg->rx_buffer_len) {
+		dev_warn(&bg->sd->dev,
+			 "dropping oversized bootloader receive chunk");
+		bg->rx_buffer_len = 0;
+		return count;
+	}
+
 	memcpy(bg->rx_buffer + bg->rx_buffer_len, data, count);
 	bg->rx_buffer_len += count;
 
-- 
cgit 1.3-korg

1214bf28965c

greybus: gb-beagleplay: bound bootloader receive buffering

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitPengpeng HouFixed in 7.1-rc1via kernel-cna

commit

1 file changed · +7 −1

drivers/greybus/gb-beagleplay.c+7 −1 modified

diff --git a/drivers/greybus/gb-beagleplay.c b/drivers/greybus/gb-beagleplay.c
index 305066febbe77..244966d56c9ba 100644
--- a/drivers/greybus/gb-beagleplay.c
+++ b/drivers/greybus/gb-beagleplay.c
@@ -623,6 +623,13 @@ static size_t cc1352_bootloader_rx(struct gb_beagleplay *bg, const u8 *data,
 		return count;
 	}
 
+	if (count > sizeof(bg->rx_buffer) - bg->rx_buffer_len) {
+		dev_warn(&bg->sd->dev,
+			 "dropping oversized bootloader receive chunk");
+		bg->rx_buffer_len = 0;
+		return count;
+	}
+
 	memcpy(bg->rx_buffer + bg->rx_buffer_len, data, count);
 	bg->rx_buffer_len += count;
 
-- 
cgit 1.3-korg

fb91d4e49fcb

greybus: gb-beagleplay: bound bootloader receive buffering

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitPengpeng HouFixed in 6.18.27via kernel-cna

commit

1 file changed · +7 −1

drivers/greybus/gb-beagleplay.c+7 −1 modified

diff --git a/drivers/greybus/gb-beagleplay.c b/drivers/greybus/gb-beagleplay.c
index 87186f891a6ac..e70787146c4fa 100644
--- a/drivers/greybus/gb-beagleplay.c
+++ b/drivers/greybus/gb-beagleplay.c
@@ -535,6 +535,13 @@ static size_t cc1352_bootloader_rx(struct gb_beagleplay *bg, const u8 *data,
 	int ret;
 	size_t off = 0;
 
+	if (count > sizeof(bg->rx_buffer) - bg->rx_buffer_len) {
+		dev_warn(&bg->sd->dev,
+			 "dropping oversized bootloader receive chunk");
+		bg->rx_buffer_len = 0;
+		return count;
+	}
+
 	memcpy(bg->rx_buffer + bg->rx_buffer_len, data, count);
 	bg->rx_buffer_len += count;
 
-- 
cgit 1.3-korg

0339a746ff7c

greybus: gb-beagleplay: bound bootloader receive buffering

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitPengpeng Houvia nvd-ref

commit

1 file changed · +7 −1

drivers/greybus/gb-beagleplay.c+7 −1 modified

diff --git a/drivers/greybus/gb-beagleplay.c b/drivers/greybus/gb-beagleplay.c
index 87186f891a6ac..e70787146c4fa 100644
--- a/drivers/greybus/gb-beagleplay.c
+++ b/drivers/greybus/gb-beagleplay.c
@@ -535,6 +535,13 @@ static size_t cc1352_bootloader_rx(struct gb_beagleplay *bg, const u8 *data,
 	int ret;
 	size_t off = 0;
 
+	if (count > sizeof(bg->rx_buffer) - bg->rx_buffer_len) {
+		dev_warn(&bg->sd->dev,
+			 "dropping oversized bootloader receive chunk");
+		bg->rx_buffer_len = 0;
+		return count;
+	}
+
 	memcpy(bg->rx_buffer + bg->rx_buffer_len, data, count);
 	bg->rx_buffer_len += count;
 
-- 
cgit 1.3-korg

663c2728a6d0

greybus: gb-beagleplay: bound bootloader receive buffering

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitPengpeng Houvia nvd-ref

commit

1 file changed · +7 −1

drivers/greybus/gb-beagleplay.c+7 −1 modified

diff --git a/drivers/greybus/gb-beagleplay.c b/drivers/greybus/gb-beagleplay.c
index 2a207eab40452..d33b6ce3948f4 100644
--- a/drivers/greybus/gb-beagleplay.c
+++ b/drivers/greybus/gb-beagleplay.c
@@ -535,6 +535,13 @@ static size_t cc1352_bootloader_rx(struct gb_beagleplay *bg, const u8 *data,
 	int ret;
 	size_t off = 0;
 
+	if (count > sizeof(bg->rx_buffer) - bg->rx_buffer_len) {
+		dev_warn(&bg->sd->dev,
+			 "dropping oversized bootloader receive chunk");
+		bg->rx_buffer_len = 0;
+		return count;
+	}
+
 	memcpy(bg->rx_buffer + bg->rx_buffer_len, data, count);
 	bg->rx_buffer_len += count;
 
-- 
cgit 1.3-korg

fb91d4e49fcb

greybus: gb-beagleplay: bound bootloader receive buffering

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitPengpeng Houvia nvd-ref

commit

1 file changed · +7 −1

drivers/greybus/gb-beagleplay.c+7 −1 modified

diff --git a/drivers/greybus/gb-beagleplay.c b/drivers/greybus/gb-beagleplay.c
index 87186f891a6ac..e70787146c4fa 100644
--- a/drivers/greybus/gb-beagleplay.c
+++ b/drivers/greybus/gb-beagleplay.c
@@ -535,6 +535,13 @@ static size_t cc1352_bootloader_rx(struct gb_beagleplay *bg, const u8 *data,
 	int ret;
 	size_t off = 0;
 
+	if (count > sizeof(bg->rx_buffer) - bg->rx_buffer_len) {
+		dev_warn(&bg->sd->dev,
+			 "dropping oversized bootloader receive chunk");
+		bg->rx_buffer_len = 0;
+		return count;
+	}
+
 	memcpy(bg->rx_buffer + bg->rx_buffer_len, data, count);
 	bg->rx_buffer_len += count;
 
-- 
cgit 1.3-korg

1214bf28965c

greybus: gb-beagleplay: bound bootloader receive buffering

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitPengpeng Houvia nvd-ref

commit

1 file changed · +7 −1

drivers/greybus/gb-beagleplay.c+7 −1 modified

diff --git a/drivers/greybus/gb-beagleplay.c b/drivers/greybus/gb-beagleplay.c
index 305066febbe77..244966d56c9ba 100644
--- a/drivers/greybus/gb-beagleplay.c
+++ b/drivers/greybus/gb-beagleplay.c
@@ -623,6 +623,13 @@ static size_t cc1352_bootloader_rx(struct gb_beagleplay *bg, const u8 *data,
 		return count;
 	}
 
+	if (count > sizeof(bg->rx_buffer) - bg->rx_buffer_len) {
+		dev_warn(&bg->sd->dev,
+			 "dropping oversized bootloader receive chunk");
+		bg->rx_buffer_len = 0;
+		return count;
+	}
+
 	memcpy(bg->rx_buffer + bg->rx_buffer_len, data, count);
 	bg->rx_buffer_len += count;
 
-- 
cgit 1.3-korg

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

News mentions

Linux Kernel: 25 Vulnerabilities Disclosed in Single Batch on June 8-9, 2026
Vypr Intelligence · Jun 9, 2026

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000