CVE Catalog

CVE-2026-46001

HighCVSS 7.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.17%

6th percentile - higher than 6% of all known CVEs

Summary

A vulnerability in the Linux kernel has been fixed in the pt5161l_read_block_data() function, which could lead to buffer overrun and incorrect return values on length mismatch.

Risk Assessment

Organizations may be exposed to buffer overflow attacks, potentially leading to unauthorized access or system crashes. Additionally, processing stale data could result in errors in applications using this function.

Recommendation

It is recommended to update the Linux kernel to the latest version to mitigate this vulnerability and ensure proper error handling in applications using the i2c_smbus_read_block_data() function.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: hwmon: (pt5161l) Fix bugs in pt5161l_read_block_data() Fix two bugs in pt5161l_read_block_data(): 1. Buffer overrun: The local buffer rbuf is declared as u8 rbuf[24], but i2c_smbus_read_block_data() can return up to I2C_SMBUS_BLOCK_MAX (32) bytes. The i2c-core copies the data into the caller's buffer before the return value can be checked, so the post-read length validation does not prevent a stack overrun if a device returns more than 24 bytes. Resize the buffer to I2C_SMBUS_BLOCK_MAX. 2. Unexpected positive return on length mismatch: When all three retries are exhausted because the device returns data with an unexpected length, i2c_smbus_read_block_data() returns a positive byte count. The function returns this directly, and callers treat any non-negative return as success, processing stale or incomplete buffer contents. Return -EIO when retries are exhausted with a positive return value, preserving the negative error code on I2C failure.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS