HIGH
hwmon macsmc Sensor OOB
CVE-2026-23323
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: hwmon: (macsmc) Fix regressions in Apple Silicon SMC hwmon driver The recently added macsmc-hwmon driver contained several critical bugs in its sensor population logic and float conversion routines. Specifically: - The voltage sensor population loop used the wrong prefix ("volt-" instead of "voltage-") and incorrectly assigned sensors to the temperature sensor array (hwmon->temp.sensors) instead of the voltage sensor array (hwmon->volt.sensors). This would lead to out-of-bounds memory access or data corruption when both temperature and voltage sensors were present. - The float conversion in macsmc_hwmon_write_f32() had flawed exponent logic for values >= 2^24 and lacked masking for the mantissa, which could lead to incorrect values being written to the SMC. Fix these issues to ensure correct sensor registration and reliable manual fan control. Confirm that the reported overflow in FIELD_PREP is fixed by declaring macsmc_hwmon_write_f32() as __always_inline for a compile test.
02KernelScan AI Analysis
Risk summary
This vulnerability could allow local attackers with physical access to Apple Silicon devices to cause memory corruption through out-of-bounds writes when the hwmon driver processes both temperature and voltage sensors. The flawed float conversion could also lead to incorrect values being written to system management controller hardware, potentially affecting fan control and thermal management.
Vulnerability analysis
Root Cause: The macsmc hwmon driver had two critical bugs: (1) voltage sensor population loop incorrectly assigned sensors to the temperature sensor array (hwmon->temp.sensors) instead of voltage array (hwmon->volt.sensors), causing out-of-bounds memory access when both sensor types were present; (2) float conversion function macsmc_hwmon_write_f32() had flawed exponent logic and missing mantissa masking that could write incorrect values to the SMC hardware.
Attack Surface: Local attack surface requiring physical access to Apple Silicon devices. The vulnerability affects hardware monitoring sensor registration and fan control functionality. Exploitation requires ability to trigger sensor population during driver initialization or write operations to hwmon interfaces.
Fix Mechanism: The patch fixes both issues: (1) corrects the voltage sensor loop to use proper prefix 'voltage-' instead of 'volt-' and assigns to correct hwmon->volt.sensors array; (2) simplifies float conversion logic with proper exponent calculation using __fls() and adds mantissa masking with FLT_MANT_MASK; (3) marks the function as __always_inline to prevent FIELD_PREP overflow issues.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.19 | 6.19.7 | 625ef35b70d3 |
| mainline | 7.0 | 5dd69b864911 |