HIGH
comedi Firmware OOB
CVE-2026-31747
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI5.5MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: comedi: me4000: Fix potential overrun of firmware buffer `me4000_xilinx_download()` loads the firmware that was requested by `request_firmware()`. It is possible for it to overrun the source buffer because it blindly trusts the file format. It reads a data stream length from the first 4 bytes into variable `file_length` and reads the data stream contents of length `file_length` from offset 16 onwards. Add a test to ensure that the supplied firmware is long enough to contain the header and the data stream. On failure, log an error and return `-EINVAL`. Note: The firmware loading was totally broken before commit ac584af59945 ("staging: comedi: me4000: fix firmware downloading"), but that is the most sensible target for this fix.
02KernelScan AI Analysis
Risk summary
Systems using ME-4000 series data acquisition cards are vulnerable to kernel crashes when loading malformed firmware files. An attacker with local access and ability to provide firmware files could cause denial of service through kernel panic.
Vulnerability analysis
The vulnerability occurs in me4000_xilinx_download() which reads a firmware file length from the first 4 bytes of a firmware blob, then blindly reads that many bytes starting from offset 16 without validating that the firmware buffer is actually large enough. This creates an out-of-bounds read condition that can crash the kernel. The fix adds proper bounds checking to ensure the firmware buffer contains both the 16-byte header and the claimed data stream length before proceeding with the download.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.253 | 8ddfe6495c24 |
| 5.15 | 5.15.203 | 64b24b713e1a |
| 6.1 | 6.1.168 | f72b5567f7c1 |
| 6.12 | 6.12.81 | 99f31aa98ab6 |
| 6.18 | 6.18.22 | eae19cab4420 |
| 6.19 | 6.19.12 | de3f923ae7d9 |
| 6.6 | 6.6.134 | 1603dd471f47 |
| mainline | 7.0 | 3fb43a7a5b44 |