CVE-2026-43495
Awaiting Analysis Awaiting Analysis - Queue
Heap-based Buffer Overflow in Linux Kernel t7xx Driver

Publication date: 2026-05-21

Last updated on: 2026-05-30

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler t7xx_port_enum_msg_handler() uses the modem-supplied port_count field as a loop bound over port_msg->data[] without checking that the message buffer contains sufficient data. A modem sending port_count=65535 in a 12-byte buffer triggers a slab-out-of-bounds read of up to 262140 bytes. Add a sizeof(*port_msg) check before accessing the port message header fields to guard against undersized messages. Add a struct_size() check after extracting port_count and before the loop. In t7xx_parse_host_rt_data(), guard the rt_feature header read with a remaining-buffer check before accessing data_len, validate feat_data_len against the actual remaining buffer to prevent OOB reads and signed integer overflow on offset. Pass msg_len from both call sites: skb->len at the DPMAIF path after skb_pull(), and the validated feat_data_len at the handshake path.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-21
Last Modified
2026-05-30
Generated
2026-06-15
AI Q&A
2026-05-21
EPSS Evaluated
2026-06-14
NVD
CVE-2026-43495
EUVD
EUVD-2026-31271
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's handling of modem messages in the t7xx driver. Specifically, the function t7xx_port_enum_msg_handler uses a modem-supplied field called port_count as a loop boundary without verifying that the message buffer actually contains enough data. If a modem sends a message with a port_count value of 65535 but the buffer is only 12 bytes long, this causes a slab-out-of-bounds read of up to 262140 bytes. The issue arises because the code does not properly check the size of the message before accessing its contents, leading to potential memory safety violations.

The fix involves adding checks to ensure the message buffer is large enough before accessing its fields, including a sizeof check on the message header and validating the port_count against the actual buffer size. Additional checks were added in related functions to prevent out-of-bounds reads and signed integer overflows.

Impact Analysis

This vulnerability can lead to out-of-bounds memory reads in the Linux kernel when processing modem messages. Such memory safety issues can cause system instability, crashes, or potentially allow an attacker to read sensitive kernel memory. This could compromise system security and reliability, especially on devices using the affected t7xx modem driver.

Mitigation Strategies

The vulnerability has been resolved by adding checks in the Linux kernel code to validate message lengths and prevent out-of-bounds reads. To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes these fixes.

  • Apply the latest Linux kernel updates or patches that address the t7xx_port_enum_msg_handler vulnerability.
  • Avoid using untrusted modems or devices that may send malformed port_count values.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43495. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart