HIGH
hwmon Debugfs Overflow
CVE-2026-43380
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI5.0MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read The q54sj108a2_debugfs_read function suffers from a stack buffer overflow due to incorrect arguments passed to bin2hex(). The function currently passes 'data' as the destination and 'data_char' as the source. Because bin2hex() converts each input byte into two hex characters, a 32-byte block read results in 64 bytes of output. Since 'data' is only 34 bytes (I2C_SMBUS_BLOCK_MAX + 2), this writes 30 bytes past the end of the buffer onto the stack. Additionally, the arguments were swapped: it was reading from the zero-initialized 'data_char' and writing to 'data', resulting in all-zero output regardless of the actual I2C read. Fix this by: 1. Expanding 'data_char' to 66 bytes to safely hold the hex output. 2. Correcting the bin2hex() argument order and using the actual read count. 3. Using a pointer to select the correct output buffer for the final simple_read_from_buffer call.
02KernelScan AI Analysis
Risk summary
A stack buffer overflow in the Delta Q54SJ108A2 power supply driver's debugfs interface allows local privileged attackers to cause a kernel panic and leak kernel stack memory. The bug writes fixed data past the end of a stack buffer and subsequently performs an out-of-bounds read that exposes adjacent kernel stack contents to user space. Systems with this specific I2C-connected hardware and debugfs access enabled are at risk.
Vulnerability analysis
The q54sj108a2_debugfs_read function contains a stack buffer overflow where bin2hex() writes 64 bytes of hex output into a 34-byte stack buffer, corrupting 30 bytes of adjacent stack memory with fixed data (ASCII '0' characters). Additionally, because the return value is miscalculated as 64, the subsequent simple_read_from_buffer() call reads 66 bytes from the 34-byte buffer, leaking up to 32 bytes of kernel stack memory to user space. The fix expands the destination buffer, corrects the argument order, and uses the actual I2C read count. Exploitation requires local root access to the debugfs interface and the presence of the Delta PSU on the I2C bus. The fixed payload and limited overflow length prevent arbitrary code execution, limiting impact to denial of service (kernel panic) and information disclosure.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.15 | 5.15.203 | a0fc1b9c738f |
| 6.1 | 6.1.167 | c59090c50f62 |
| 6.12 | 6.12.78 | b48a0f8d4541 |
| 6.18 | 6.18.19 | 73a7a3458169 |
| 6.19 | 6.19.9 | 24a7b9daa103 |
| 6.6 | 6.6.130 | 52db5ef163c9 |
| mainline | 7.0 | 25dd70a03b1f |