HIGH
hwmon TPS53679 OOB
CVE-2026-43005
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
KernelScan AI3.4LOW
01Description
In the Linux kernel, the following vulnerability has been resolved: hwmon: (tps53679) Fix array access with zero-length block read i2c_smbus_read_block_data() can return 0, indicating a zero-length read. When this happens, tps53679_identify_chip() accesses buf[ret - 1] which is buf[-1], reading one byte before the buffer on the stack. Fix by changing the check from "ret < 0" to "ret <= 0", treating a zero-length read as an error (-EIO), which prevents the out-of-bounds array access. Also fix a typo in the adjacent comment: "if present" instead of duplicate "if".
02KernelScan AI Analysis
Risk summary
Systems with TPS53679/TPS53685 power management chips are vulnerable to a stack buffer underflow that could leak kernel memory or cause system instability. The vulnerability requires root privileges to access I2C devices and is triggered when the hardware returns unexpected zero-length data. Impact is limited to information disclosure and potential denial of service.
Vulnerability analysis
The vulnerability occurs in tps53679_identify_chip() when i2c_smbus_read_block_data() returns 0 (zero-length read) but the code assumes a positive return value. The subsequent access to buf[ret - 1] becomes buf[-1], reading one byte before the stack buffer. This out-of-bounds read can leak kernel stack data or cause memory corruption. The fix changes the error check from 'ret < 0' to 'ret <= 0', treating zero-length reads as errors and preventing the invalid array access. The attack surface is local-only, requiring CAP_SYS_ADMIN or root privileges to access I2C devices through /dev/i2c-* interfaces.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.22 | 79b7e588399b |
| 6.19 | 6.19.12 | 6999b4769e2a |
| mainline | 7.0 | 0e211f6aaa6a |