Description
In the Linux kernel, the following vulnerability has been resolved:

hwmon: (tps53679) Fix array access with zero-length block read

i2c_smbus_read_block_data() can return 0, indicating a zero-length
read. When this happens, tps53679_identify_chip() accesses buf[ret - 1]
which is buf[-1], reading one byte before the buffer on the stack.

Fix by changing the check from "ret < 0" to "ret <= 0", treating a
zero-length read as an error (-EIO), which prevents the out-of-bounds
array access.

Also fix a typo in the adjacent comment: "if present" instead of
duplicate "if".
Published: 2026-05-01
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The defect occurs in the Linux kernel’s hwmon subsystem when the tps53679 driver attempts to read data from an I2C‑connected sensor. The i2c_smbus_read_block_data() function can return 0 to indicate a zero‑length block read; the driver incorrectly indexes the buffer as buf[ret–1], which becomes buf[-1] when ret is zero. This causes an out‑of‑bounds read of a byte that resides just before the kernel stack frame. The read could leak small amounts of sensitive stack data or, in rare cases, trigger a kernel fault that may lead to a crash. The vulnerability does not provide a direct code‑execution path. Based on the description, it is inferred that the attack vector requires local access to the I2C device, meaning an attacker would need privileged or local user access to invoke the driver’s read routine. Because no exploit has been published and the vulnerability is not listed in the CISA KEV catalog, the overall risk is considered moderate. The EPSS score of less than 1% suggests a very low probability of exploitation. Risk and exploitation are limited to users who can interact with the device; arbitrary local users are normally restricted via device permissions. Patching the kernel to the version that changes the check from 'ret < 0' to 'ret <= 0' removes the flaw entirely.

Affected Systems

All Linux kernel releases before the commit that updates the tps53679 driver to treat a zero‑length I2C block read as an error are affected. The flaw resides solely in the tps53679 driver within the hwmon subsystem and does not impact other sensors or kernel subsystems.

Risk and Exploitability

The flaw requires an attacker to invoke the driver’s read operation on a device that returns a zero‑length block read. This typically means the user must have local access to the I2C bus and sufficient privileges to map or read the device file. The vulnerability does not directly grant arbitrary code execution, but it can disclose kernel data or cause a kernel crash. With the vulnerability not found in an active exploit database or listed in KEV, the threat remains moderate until an exploit materializes. The CVSS score is 7.1, indicating a high severity, while the EPSS score of less than 1% suggests a very low probability of exploitation.

Generated by OpenCVE AI on May 12, 2026 at 22:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the patch that changes the return‑value check to treat a zero-length read as an error
  • Disable or unload the tps53679 driver if the sensor is not required for system operation
  • Restrict local users’ access to the I2C device associated with tps53679 by setting appropriate device permissions or applying SELinux/AppArmor controls

Generated by OpenCVE AI on May 12, 2026 at 22:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CPEs cpe:2.3:o:linux:linux_kernel:6.17:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-786
References

Fri, 01 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: hwmon: (tps53679) Fix array access with zero-length block read i2c_smbus_read_block_data() can return 0, indicating a zero-length read. When this happens, tps53679_identify_chip() accesses buf[ret - 1] which is buf[-1], reading one byte before the buffer on the stack. Fix by changing the check from "ret < 0" to "ret <= 0", treating a zero-length read as an error (-EIO), which prevents the out-of-bounds array access. Also fix a typo in the adjacent comment: "if present" instead of duplicate "if".
Title hwmon: (tps53679) Fix array access with zero-length block read
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:15:51.731Z

Reserved: 2026-05-01T14:12:55.974Z

Link: CVE-2026-43005

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-01T15:16:44.343

Modified: 2026-05-12T19:27:29.520

Link: CVE-2026-43005

cve-icon Redhat

Severity :

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-43005 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T22:45:15Z

Weaknesses