Description
In the Linux kernel, the following vulnerability has been resolved:

iio: dac: ad3552r-hs: fix out-of-bound write in ad3552r_hs_write_data_source

When simple_write_to_buffer() succeeds, it returns the number of bytes
actually copied to the buffer. The code incorrectly uses 'count'
as the index for null termination instead of the actual bytes copied.
If count exceeds the buffer size, this leads to out-of-bounds write.
Add a check for the count and use the return value as the index.

The bug was validated using a demo module that mirrors the original
code and was tested under QEMU.

Pattern of the bug:
- A fixed 64-byte stack buffer is filled using count.
- If count > 64, the code still does buf[count] = '\0', causing an
- out-of-bounds write on the stack.

Steps for reproduce:
- Opens the device node.
- Writes 128 bytes of A to it.
- This overflows the 64-byte stack buffer and KASAN reports the OOB.

Found via static analysis. This is similar to the
commit da9374819eb3 ("iio: backend: fix out-of-bound write")
Published: 2026-02-04
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Out-of-Bounds Write leading to Kernel Stack Corruption and Potential Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

In the Linux kernel's IIO DAC driver for the ad3552r‑hs device, an out‑of‑bounds write occurs when a user writes more than 64 bytes to the device node. The kernel code mistakenly uses the original write length (count) to index the buffer during null termination, causing a write past the end of a 64‑byte stack buffer. This flaw can corrupt kernel memory and potentially allow an attacker with local privileges to gain elevated privileges or crash the system. The weakness is classified as CWE‑787.

Affected Systems

The issue affects all Linux kernel releases that include the vulnerable ad3552r‑hs driver before the patch was merged. According to the CPE data, the affected kernels include the 6.19 RC builds (rc1 through rc6), but the flaw exists in any kernel in which the driver is compiled. Therefore any system running the Linux kernel with the unpatched driver, including custom or older vendor builds, is at risk. Updating to the patched kernel or applying the upstream fix removes the vulnerability.

Risk and Exploitability

The CVSS score of 7.8 indicates a moderate to high severity. The EPSS score is less than 1%, suggesting a low probability of exploitation at the time of the analysis. The vulnerability is not listed in the CISA KEV catalog, reducing the likelihood that a known exploit is circulating. Exploitation requires a local user to write an oversized payload to the device node (e.g., /dev/iio:device? or the corresponding node). This means that the attack vector is local; a non‑privileged user with access to the node can trigger the stack overflow, potentially leading to kernel memory corruption and privilege escalation.

Generated by OpenCVE AI on April 17, 2026 at 23:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that fixes the out‑of‑bounds write in ad3552r_hs_write_data_source, which is included in Linux kernel releases after the commit that resolved the issue (e.g., kernel 6.19 rc7 or later).
  • If an immediate kernel update cannot be performed, restrict write access to the ad3552r‑hs device node to privileged users by changing file permissions or using a udev rule.
  • As a temporary defensive measure, enable kernel memory safety features such as KASAN or configure the kernel with stack protection options like CONFIG_DEBUG_STACKOVERFLOW.

Generated by OpenCVE AI on April 17, 2026 at 23:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
CPEs cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 05 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References

Wed, 04 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: iio: dac: ad3552r-hs: fix out-of-bound write in ad3552r_hs_write_data_source When simple_write_to_buffer() succeeds, it returns the number of bytes actually copied to the buffer. The code incorrectly uses 'count' as the index for null termination instead of the actual bytes copied. If count exceeds the buffer size, this leads to out-of-bounds write. Add a check for the count and use the return value as the index. The bug was validated using a demo module that mirrors the original code and was tested under QEMU. Pattern of the bug: - A fixed 64-byte stack buffer is filled using count. - If count > 64, the code still does buf[count] = '\0', causing an - out-of-bounds write on the stack. Steps for reproduce: - Opens the device node. - Writes 128 bytes of A to it. - This overflows the 64-byte stack buffer and KASAN reports the OOB. Found via static analysis. This is similar to the commit da9374819eb3 ("iio: backend: fix out-of-bound write")
Title iio: dac: ad3552r-hs: fix out-of-bound write in ad3552r_hs_write_data_source
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-02-09T08:38:32.433Z

Reserved: 2026-01-13T15:37:45.962Z

Link: CVE-2026-23092

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T17:16:20.083

Modified: 2026-03-17T21:09:20.000

Link: CVE-2026-23092

cve-icon Redhat

Severity :

Publid Date: 2026-02-04T00:00:00Z

Links: CVE-2026-23092 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:45:25Z

Weaknesses