CVE-2026-23092

{"id": "CVE-2026-23092", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2026-02-04T17:16:20.083", "references": [{"url": "https://git.kernel.org/stable/c/978d28136c53df38f8f0b747191930e2f95e9084", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/db16e7c52032c79156930a337ee17232931794ba", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: dac: ad3552r-hs: fix out-of-bound write in ad3552r_hs_write_data_source\n\nWhen simple_write_to_buffer() succeeds, it returns the number of bytes\nactually copied to the buffer. The code incorrectly uses 'count'\nas the index for null termination instead of the actual bytes copied.\nIf count exceeds the buffer size, this leads to out-of-bounds write.\nAdd a check for the count and use the return value as the index.\n\nThe bug was validated using a demo module that mirrors the original\ncode and was tested under QEMU.\n\nPattern of the bug:\n- A fixed 64-byte stack buffer is filled using count.\n- If count > 64, the code still does buf[count] = '\\0', causing an\n- out-of-bounds write on the stack.\n\nSteps for reproduce:\n- Opens the device node.\n- Writes 128 bytes of A to it.\n- This overflows the 64-byte stack buffer and KASAN reports the OOB.\n\nFound via static analysis. This is similar to the\ncommit da9374819eb3 (\"iio: backend: fix out-of-bound write\")"}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\niio: dac: ad3552r-hs: correcci\u00f3n de escritura fuera de l\u00edmites en ad3552r_hs_write_data_source\n\nCuando simple_write_to_buffer() tiene \u00e9xito, devuelve el n\u00famero de bytes realmente copiados al b\u00fafer. El c\u00f3digo usa incorrectamente 'count' como \u00edndice para la terminaci\u00f3n nula en lugar de los bytes realmente copiados. Si count excede el tama\u00f1o del b\u00fafer, esto lleva a una escritura fuera de l\u00edmites. A\u00f1adir una comprobaci\u00f3n para count y usar el valor de retorno como \u00edndice.\n\nEl error fue validado usando un m\u00f3dulo de demostraci\u00f3n que refleja el c\u00f3digo original y fue probado bajo QEMU.\n\nPatr\u00f3n del error:\n- Un b\u00fafer de pila fijo de 64 bytes se llena usando count.\n- Si count > 64, el c\u00f3digo a\u00fan hace buf[count] = '\\0', causando una\n- escritura fuera de l\u00edmites en la pila.\n\nPasos para reproducir:\n- Abre el nodo del dispositivo.\n- Escribe 128 bytes de A en \u00e9l.\n- Esto desborda el b\u00fafer de pila de 64 bytes y KASAN reporta el OOB.\n\nEncontrado mediante an\u00e1lisis est\u00e1tico. Esto es similar al\ncommit da9374819eb3 ('iio: backend: correcci\u00f3n de escritura fuera de l\u00edmites')"}], "lastModified": "2026-03-17T21:09:20.000", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "467E1359-7F6A-4790-AC45-172024944460", "versionEndExcluding": "6.18.8", "versionStartIncluding": "6.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}