HIGH
iio SPS30 Overflow
CVE-2026-43476
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI6.9MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas() sizeof(num) evaluates to sizeof(size_t) (8 bytes on 64-bit) instead of the intended __be32 element size (4 bytes). Use sizeof(*meas) to correctly match the buffer element type.
02KernelScan AI Analysis
Risk summary
An out-of-bounds write in the SPS30 particulate matter sensor I2C driver can corrupt kernel memory when reading measurements through the IIO subsystem. A local user with access to the IIO device interface can trigger the bug. The vulnerability can lead to system crashes or potential privilege escalation.
Vulnerability analysis
The bug occurs in sps30_i2c_read_meas() where sizeof(num) incorrectly evaluates to sizeof(size_t) (8 bytes on 64-bit) instead of the intended __be32 element size (4 bytes). This causes the I2C command to request more data than the caller's buffer can hold, resulting in an out-of-bounds write. The fix changes sizeof(num) to sizeof(*meas) to correctly calculate the __be32 element size. The bug is reachable by local users interacting with the IIO sysfs/chardev interface (e.g., reading sensor measurements), not by physical manipulation of the bus.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.15 | 5.15.203 | 9aff2e9c2927 |
| 6.1 | 6.1.167 | 08881d82f94d |
| 6.12 | 6.12.78 | 2a4d111a6a34 |
| 6.18 | 6.18.19 | 90e978ace598 |
| 6.19 | 6.19.9 | 165f12b40901 |
| 6.6 | 6.6.130 | dcdf1e92674e |
| mainline | 7.0 | 216345f98cae |