hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read_CVE-2026-43380

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read

The q54sj108a2_debugfs_read function suffers from a stack buffer overflow
due to incorrect arguments passed to bin2hex(). The function currently
passes 'data' as the destination and 'data_char' as the source.

Because bin2hex() converts each input byte into two hex characters, a
32-byte block read results in 64 bytes of output. Since 'data' is only
34 bytes (I2C_SMBUS_BLOCK_MAX + 2), this writes 30 bytes past the end
of the buffer onto the stack.

Additionally, the arguments were swapped: it was reading from the
zero-initialized 'data_char' and writing to 'data', resulting in
all-zero output regardless of the actual I2C read.

Fix this by:
1. Expanding 'data_char' to 66 bytes to safely hold the hex output.
2. Correcting the bin2hex() argument order and using the actual read count.
3. Using a pointer to select the correct output buffer for the final
simple_read_from_buffer call.

Basic Information

ID CVE-2026-43380

Source Linux

Published May 8, 2026 at 14:21

Modified May 20, 2026 at 16:08

Affected Product

Vendor Linux

Product Linux

Version d014538aa38561cd24c5eb228223585f26c5ec71

Affected Versions Linux Linux d014538aa38561cd24c5eb228223585f26c5ec71
Linux Linux d014538aa38561cd24c5eb228223585f26c5ec71
Linux Linux d014538aa38561cd24c5eb228223585f26c5ec71
Linux Linux d014538aa38561cd24c5eb228223585f26c5ec71
Linux Linux d014538aa38561cd24c5eb228223585f26c5ec71
Linux Linux d014538aa38561cd24c5eb228223585f26c5ec71
Linux Linux d014538aa38561cd24c5eb228223585f26c5ec71
Linux Linux 5.11

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read\n\nThe q54sj108a2_debugfs_read function suffers from a stack buffer overflow\ndue to incorrect arguments passed to bin2hex(). The function currently\npasses 'data' as the destination and 'data_char' as the source.\n\nBecause bin2hex() converts each input byte into two hex characters, a\n32-byte block read results in 64 bytes of output. Since 'data' is only\n34 bytes (I2C_SMBUS_BLOCK_MAX + 2), this writes 30 bytes past the end\nof the buffer onto the stack.\n\nAdditionally, the arguments were swapped: it was reading from the\nzero-initialized 'data_char' and writing to 'data', resulting in\nall-zero output regardless of the actual I2C read.\n\nFix this by:\n1. Expanding 'data_char' to 66 bytes to safely hold the hex output.\n2. Correcting the bin2hex() argument order and using the actual read count.\n3. Using a pointer to select the correct output buffer for the final\n   simple_read_from_buffer call.",
    "published": "2026-05-08T14:21:28.702Z",
    "modified": "2026-05-20T16:08:07.058Z",
    "type": "cve",
    "title": "hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/a0fc1b9c738fba231f190ab960c83202722efee5\nhttps://git.kernel.org/stable/c/c59090c50f62a17129fc4c5407bc4071305a9e82\nhttps://git.kernel.org/stable/c/52db5ef163c96f916d424e472fb17aadc35a9f7a\nhttps://git.kernel.org/stable/c/b48a0f8d4541a4f6651dc9a64430ce9fdf5c120b\nhttps://git.kernel.org/stable/c/73a7a345816946d276ad2c46c8bb771de67cfc46\nhttps://git.kernel.org/stable/c/24a7b9daa103fa963b3fd37d8805b23e01621976\nhttps://git.kernel.org/stable/c/25dd70a03b1f5f3aa71e1a5091ecd9cd2a13ee43",
    "id": "CVE-2026-43380",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux d014538aa38561cd24c5eb228223585f26c5ec71\nLinux Linux d014538aa38561cd24c5eb228223585f26c5ec71\nLinux Linux d014538aa38561cd24c5eb228223585f26c5ec71\nLinux Linux d014538aa38561cd24c5eb228223585f26c5ec71\nLinux Linux d014538aa38561cd24c5eb228223585f26c5ec71\nLinux Linux d014538aa38561cd24c5eb228223585f26c5ec71\nLinux Linux d014538aa38561cd24c5eb228223585f26c5ec71\nLinux Linux 5.11",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "d014538aa38561cd24c5eb228223585f26c5ec71",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply