HIGH
iio ADC DMA Buffer Corruption
CVE-2026-31768
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI6.1MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: iio: adc: ti-adc161s626: use DMA-safe memory for spi_read() Add a DMA-safe buffer and use it for spi_read() instead of a stack memory. All SPI buffers must be DMA-safe. Since we only need up to 3 bytes, we just use a u8[] instead of __be16 and __be32 and change the conversion functions appropriately.
02KernelScan AI Analysis
Risk summary
Systems using TI ADC161S626/ADC141S626 analog-to-digital converter chips over SPI are at risk of kernel panics and system crashes. The vulnerability is reachable by unprivileged local users or processes via the IIO sysfs interface, making it relevant for embedded devices, industrial systems, and any bare-metal product that exposes this ADC to local workloads.
Vulnerability analysis
The driver passes stack-allocated buffers to spi_read(), violating the kernel requirement that all SPI buffers be DMA-safe. When the underlying SPI controller uses DMA, operating on stack memory can cause cache coherency failures, DMA mapping errors, or memory corruption that leads to a kernel panic. The fix replaces the stack buffers with a DMA-aligned u8 array inside the device structure and uses unaligned access helpers for endianness conversion. Because the IIO raw data sysfs attributes are typically world-readable, this crash can be triggered without elevated privileges.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.1 | 6.1.168 | b3bb8faeca1a |
| 6.12 | 6.12.81 | 67b3a91bdc48 |
| 6.18 | 6.18.22 | 014c6d27878d |
| 6.19 | 6.19.12 | d2d031b0786e |
| 6.6 | 6.6.134 | fa64aab25aba |
| mainline | 7.0 | 768461517a28 |