HIGH Published 2026-05-21

net/wwan PortEnum OOB

CVE-2026-43495

CVSS 8.8 / 10.0 NVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

KernelScan AI6.8MEDIUM

01Description

In the Linux kernel, the following vulnerability has been resolved: net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler t7xx_port_enum_msg_handler() uses the modem-supplied port_count field as a loop bound over port_msg->data[] without checking that the message buffer contains sufficient data. A modem sending port_count=65535 in a 12-byte buffer triggers a slab-out-of-bounds read of up to 262140 bytes. Add a sizeof(*port_msg) check before accessing the port message header fields to guard against undersized messages. Add a struct_size() check after extracting port_count and before the loop. In t7xx_parse_host_rt_data(), guard the rt_feature header read with a remaining-buffer check before accessing data_len, validate feat_data_len against the actual remaining buffer to prevent OOB reads and signed integer overflow on offset. Pass msg_len from both call sites: skb->len at the DPMAIF path after skb_pull(), and the validated feat_data_len at the handshake path.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

A malicious or compromised MediaTek T7xx modem can trigger massive out-of-bounds reads (up to 262KB) in the kernel by sending crafted port enumeration messages with inflated port counts. This affects systems with MediaTek T7xx cellular modems connected via PCIe and can lead to information disclosure and system crashes.

Affecteddrivers/net/wwan/t7xx/t7xx_port_ctrl_msg.c (WWAN T7xx modem driver)

Vulnerability analysis

The vulnerability occurs in t7xx_port_enum_msg_handler() which processes port enumeration messages from the T7xx modem without validating that the modem-supplied port_count field corresponds to available buffer space. The function uses port_count as a loop bound to iterate over port_msg->data[] array elements, but never checks if the message buffer actually contains that many elements. A malicious modem can send port_count=65535 in a minimal 12-byte message, causing the kernel to read up to 262,140 bytes beyond the allocated buffer. A similar issue exists in t7xx_parse_host_rt_data() with insufficient validation of rt_feature header and data lengths. The fix adds proper bounds checking using sizeof() and struct_size() validation before accessing message fields and iterating over the data array, and passes message lengths from both call sites to ensure validation against actual buffer sizes.

03Fix Versions

Branch	Fixed in	Patch commit
6.12	6.12.88	`9855e063e063`
6.18	6.18.30	`2b56d7903ab8`
6.6	6.6.140	`f94450ce5053`
7.0	7.0.7	`dd4f4c93c148`
mainline	7.1-rc3	`0e7c074cfcd9`