HIGH
comedi Firmware OOB
CVE-2026-31748
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI5.0MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: comedi: me_daq: Fix potential overrun of firmware buffer `me2600_xilinx_download()` loads the firmware that was requested by `request_firmware()`. It is possible for it to overrun the source buffer because it blindly trusts the file format. It reads a data stream length from the first 4 bytes into variable `file_length` and reads the data stream contents of length `file_length` from offset 16 onwards. Although it checks that the supplied firmware is at least 16 bytes long, it does not check that it is long enough to contain the data stream. Add a test to ensure that the supplied firmware is long enough to contain the header and the data stream. On failure, log an error and return `-EINVAL`.
02KernelScan AI Analysis
Risk summary
Systems with ME-2600 series PCI data acquisition hardware are vulnerable to limited kernel memory disclosure and denial of service when malicious firmware is loaded. Only privileged users with root access or CAP_SYS_RAWIO can trigger this vulnerability. The unbounded out-of-bounds read will leak slab data before hitting unmapped pages and causing a kernel panic.
Vulnerability analysis
The me2600_xilinx_download() function trusts the file_length field from firmware headers without validating that the firmware buffer contains enough data. An attacker with root privileges can provide malicious firmware where file_length exceeds the actual data available, causing the kernel to read beyond the buffer boundary. Because file_length is a 32-bit value and is not capped against the buffer size, the read is effectively unbounded and will traverse adjacent kernel memory until it hits unmapped pages, resulting in a kernel panic. The fix adds proper bounds checking to ensure that 16 + file_length does not exceed the total firmware size before proceeding with the download.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.253 | 2fc25a4c2e05 |
| 5.15 | 5.15.203 | 9f39fa07259e |
| 6.1 | 6.1.168 | f3f8ec00cfb8 |
| 6.12 | 6.12.81 | 1bf8761eb59e |
| 6.18 | 6.18.22 | a47ae40339c1 |
| 6.19 | 6.19.12 | c8c607a77aab |
| 6.6 | 6.6.134 | c16ac4e173a0 |
| mainline | 7.0 | cc797d4821c7 |