CVE-2026-23092
Stack Buffer Overflow in Linux iio DAC ad3552r-hs Driver
Publication date: 2026-02-04
Last updated on: 2026-03-17
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | From 6.16 (inc) to 6.18.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's iio: dac: ad3552r-hs driver, specifically in the function ad3552r_hs_write_data_source.
The issue arises because when simple_write_to_buffer() succeeds, it returns the actual number of bytes copied to the buffer. However, the code incorrectly uses the original 'count' value as the index for null termination instead of the returned number of bytes copied.
If 'count' exceeds the buffer size (which is a fixed 64-byte stack buffer), the code writes a null terminator beyond the buffer boundary, causing an out-of-bounds write on the stack.
This can be triggered by opening the device node and writing more than 64 bytes (e.g., 128 bytes), which overflows the buffer and is detected by KASAN (Kernel Address Sanitizer).
How can this vulnerability impact me? :
This vulnerability can lead to an out-of-bounds write on the stack, which may cause memory corruption.
Memory corruption can potentially be exploited to cause system instability, crashes, or in some cases, arbitrary code execution with kernel privileges.
Since this occurs in the Linux kernel, exploitation could compromise the entire system's security and stability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to reproduce the out-of-bounds write condition on the affected device node. Specifically, opening the device node and writing more bytes than the buffer size (e.g., writing 128 bytes to a 64-byte buffer) can trigger the issue.
Using kernel debugging tools such as KASAN (Kernel Address Sanitizer) can help detect the out-of-bounds write by reporting memory violations.
- Open the device node associated with the vulnerable driver.
- Write a large number of bytes (e.g., 128 bytes of data) to the device node to test for buffer overflow.
- Monitor kernel logs for KASAN reports indicating out-of-bounds writes.
- Example command to write data: `echo -n $(head -c 128 /dev/zero | tr '\0' 'A') > /dev/<device_node>`
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding writing more data than the buffer size (64 bytes) to the affected device node to prevent triggering the out-of-bounds write.
Apply any available patches or updates to the Linux kernel that fix this vulnerability, specifically the fix that adds a check for the count and uses the actual number of bytes copied as the index.
If patching is not immediately possible, restrict access to the vulnerable device node to trusted users only.