CVE-2026-46001
Analyzed Analyzed - Analysis Complete
Buffer Overrun in Linux Kernel hwmon pt5161l Driver

Publication date: 2026-05-27

Last updated on: 2026-06-16

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: hwmon: (pt5161l) Fix bugs in pt5161l_read_block_data() Fix two bugs in pt5161l_read_block_data(): 1. Buffer overrun: The local buffer rbuf is declared as u8 rbuf[24], but i2c_smbus_read_block_data() can return up to I2C_SMBUS_BLOCK_MAX (32) bytes. The i2c-core copies the data into the caller's buffer before the return value can be checked, so the post-read length validation does not prevent a stack overrun if a device returns more than 24 bytes. Resize the buffer to I2C_SMBUS_BLOCK_MAX. 2. Unexpected positive return on length mismatch: When all three retries are exhausted because the device returns data with an unexpected length, i2c_smbus_read_block_data() returns a positive byte count. The function returns this directly, and callers treat any non-negative return as success, processing stale or incomplete buffer contents. Return -EIO when retries are exhausted with a positive return value, preserving the negative error code on I2C failure.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-46001
EUVD
EUVD-2026-32297
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.13 (inc) to 6.18.27 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.4 (exc)
linux linux_kernel From 6.9 (inc) to 6.12.86 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, update the Linux kernel to a version that includes the fix for the pt5161l_read_block_data() function in the hwmon pt5161l driver.

This fix involves resizing the buffer to prevent buffer overruns and correcting error handling to avoid processing stale or incomplete data.

Executive Summary

This vulnerability exists in the Linux kernel's hardware monitoring driver for the pt5161l device, specifically in the function pt5161l_read_block_data().

There are two main bugs: first, a buffer overrun occurs because the local buffer is too small (24 bytes) to safely hold the data returned by i2c_smbus_read_block_data(), which can be up to 32 bytes. This can cause a stack overflow if the device returns more than 24 bytes.

Second, when the device returns data with an unexpected length after all retries, the function incorrectly returns a positive byte count instead of an error. Callers interpret any non-negative return as success, potentially processing stale or incomplete data.

Impact Analysis

The buffer overrun bug can lead to a stack overflow, which may cause system instability or potentially allow an attacker to execute arbitrary code with kernel privileges.

The incorrect handling of return values can cause the system to process invalid or stale data, which might lead to incorrect hardware monitoring readings or system behavior based on faulty data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46001. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart