CVE-2026-43380
Received Received - Intake
Stack Overflow in Linux Kernel PMBus q54sj108a2 Driver

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read The q54sj108a2_debugfs_read function suffers from a stack buffer overflow due to incorrect arguments passed to bin2hex(). The function currently passes 'data' as the destination and 'data_char' as the source. Because bin2hex() converts each input byte into two hex characters, a 32-byte block read results in 64 bytes of output. Since 'data' is only 34 bytes (I2C_SMBUS_BLOCK_MAX + 2), this writes 30 bytes past the end of the buffer onto the stack. Additionally, the arguments were swapped: it was reading from the zero-initialized 'data_char' and writing to 'data', resulting in all-zero output regardless of the actual I2C read. Fix this by: 1. Expanding 'data_char' to 66 bytes to safely hold the hex output. 2. Correcting the bin2hex() argument order and using the actual read count. 3. Using a pointer to select the correct output buffer for the final simple_read_from_buffer call.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-05-09
AI Q&A
2026-05-08
EPSS Evaluated
N/A
NVD
CVE-2026-43380
EUVD
EUVD-2026-28686
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a stack buffer overflow in the Linux kernel's hwmon subsystem, specifically in the pmbus/q54sj108a2 driver within the debugfs read function.

The issue arises because the function q54sj108a2_debugfs_read incorrectly passes arguments to the bin2hex() function, swapping the source and destination buffers.

bin2hex() converts each input byte into two hexadecimal characters, so a 32-byte input results in 64 bytes of output. However, the destination buffer 'data' is only 34 bytes long, causing 30 bytes to be written beyond the buffer's end on the stack, leading to a stack buffer overflow.

Additionally, because the arguments were swapped, the function was reading from a zero-initialized buffer and writing to a smaller buffer, resulting in incorrect all-zero output regardless of the actual I2C read.

The fix involved expanding the output buffer size, correcting the argument order to bin2hex(), and properly selecting the output buffer for the final read operation.


How can this vulnerability impact me? :

This vulnerability can lead to a stack buffer overflow, which may cause the Linux kernel to crash or behave unpredictably.

In some cases, stack buffer overflows can be exploited by attackers to execute arbitrary code with kernel privileges, potentially compromising system security.

Additionally, the incorrect output caused by the argument swap could lead to misleading or incorrect data being read from the hardware monitoring interface.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by updating the Linux kernel to a version where the q54sj108a2_debugfs_read function has been corrected.

  • Apply the patch that expands the 'data_char' buffer to 66 bytes to safely hold the hex output.
  • Ensure the bin2hex() function arguments are correctly ordered, using the actual read count.
  • Use the corrected pointer to select the appropriate output buffer for the final simple_read_from_buffer call.

In practice, this means updating your Linux kernel to the fixed version released on or after 2026-05-08.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart