HIGH Published 2026-04-27

firmware AON Buffer Overflow

CVE-2026-31690

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI3.3LOW

01Description

In the Linux kernel, the following vulnerability has been resolved: firmware: thead: Fix buffer overflow and use standard endian macros Addresses two issues in the TH1520 AON firmware protocol driver: 1. Fix a potential buffer overflow where the code used unsafe pointer arithmetic to access the 'mode' field through the 'resource' pointer with an offset. This was flagged by Smatch static checker as: "buffer overflow 'data' 2 <= 3" 2. Replace custom RPC_SET_BE* and RPC_GET_BE* macros with standard kernel endianness conversion macros (cpu_to_be16, etc.) for better portability and maintainability. The functionality was re-tested with the GPU power-up sequence, confirming the GPU powers up correctly and the driver probes successfully. [ 12.702370] powervr ffef400000.gpu: [drm] loaded firmware powervr/rogue_36.52.104.182_v1.fw [ 12.711043] powervr ffef400000.gpu: [drm] FW version v1.0 (build 6645434 OS) [ 12.719787] [drm] Initialized powervr 1.0.0 for ffef400000.gpu on minor 0

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

A buffer overflow vulnerability in the T-Head TH1520 AON firmware protocol driver could allow a local user to trigger a limited out-of-bounds write during power management operations. The vulnerability affects systems using T-Head TH1520 SoCs with AON firmware power management functionality.

Affecteddrivers/firmware/thead,th1520-aon.c (firmware subsystem)

Vulnerability analysis

The vulnerability stems from unsafe pointer arithmetic in the th1520_aon_power_update function where the code used the RPC_SET_BE16 macro to access the 'mode' field through the 'resource' pointer with a hardcoded offset of 2 bytes. The Smatch static checker flagged this as 'buffer overflow data 2 <= 3', indicating a write beyond the strict bounds of the 'resource' member. In practice, the write lands on the adjacent 'mode' field within the same stack-allocated struct, resulting in a limited two-byte constant write rather than arbitrary memory corruption. The fix replaces the unsafe pointer arithmetic with direct struct member access (msg.resource and msg.mode) and eliminates the custom endianness macros in favor of standard kernel cpu_to_be16() functions. Because the vulnerable code path is triggered through GPU power management and other resource transitions reachable by local users (e.g., via standard DRM device access), exploitation does not require administrative privileges.

03Fix Versions

Branch	Fixed in	Patch commit
6.18	6.18.23	`fbdb43f6bb2a`
6.19	6.19.13	`bd15a5deb5a7`
mainline	7.0	`88c4bd907255`