Description
In the Linux kernel, the following vulnerability has been resolved:

clk: rs9: Reserve 8 struct clk_hw slots for for 9FGV0841

The 9FGV0841 has 8 outputs and registers 8 struct clk_hw, make sure
there are 8 slots for those newly registered clk_hw pointers, else
there is going to be out of bounds write when pointers 4..7 are set
into struct rs9_driver_data .clk_dif[4..7] field.

Since there are other structure members past this struct clk_hw
pointer array, writing to .clk_dif[4..7] fields corrupts both
the struct rs9_driver_data content and data around it, sometimes
without crashing the kernel. However, the kernel does surely
crash when the driver is unbound or during suspend.

Fix this, increase the struct clk_hw pointer array size to the
maximum output count of 9FGV0841, which is the biggest chip that
is supported by this driver.
Published: 2026-05-06
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A driver that manages clock hardware for the 9FGV0841 device allocates space for eight `clk_hw` pointers, but the device actually registers eight outputs. When the driver writes pointers 4 through 7 into an array that has only eight slots, the write goes beyond the allocated bounds and corrupts adjacent data in the `rs9_driver_data` structure. The corruption may not immediately crash the kernel, but it does corrupt kernel memory and causes a crash when the driver is unloaded or during suspend operations.

Affected Systems

All Linux kernel builds that include the unpatched rs9 clock driver and are connected to a 9FGV0841 device are affected. The advisories do not specify a kernel version range, so the vulnerability applies to any kernel that contains the original driver code before the fix is merged.

Risk and Exploitability

The CVSS score is 5.5, the EPSS score is < 1%, and the vulnerability is not listed in CISA’s KEV catalog. The failure mode is a local out‑of‑bounds write; the likely attack vector is local, requiring an attacker to have access to the system or to interact with the 9FGV0841 hardware to trigger the vulnerable driver code. No widespread remote exploitation has been documented as the flaw lies in a kernel device driver.

Generated by OpenCVE AI on May 12, 2026 at 22:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a Linux kernel update that includes the rs9 driver patch resolving the array size issue
  • Reboot the system so the updated driver is loaded and the out‑of‑bounds condition cannot occur
  • If no update is immediately available, disable or remove the rs9 driver or detach the 9FGV0841 device to prevent the driver from loading until a patch is applied

Generated by OpenCVE AI on May 12, 2026 at 22:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Thu, 07 May 2026 04:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122
CWE-787

Thu, 07 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-788
References

Wed, 06 May 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122
CWE-787

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: clk: rs9: Reserve 8 struct clk_hw slots for for 9FGV0841 The 9FGV0841 has 8 outputs and registers 8 struct clk_hw, make sure there are 8 slots for those newly registered clk_hw pointers, else there is going to be out of bounds write when pointers 4..7 are set into struct rs9_driver_data .clk_dif[4..7] field. Since there are other structure members past this struct clk_hw pointer array, writing to .clk_dif[4..7] fields corrupts both the struct rs9_driver_data content and data around it, sometimes without crashing the kernel. However, the kernel does surely crash when the driver is unbound or during suspend. Fix this, increase the struct clk_hw pointer array size to the maximum output count of 9FGV0841, which is the biggest chip that is supported by this driver.
Title clk: rs9: Reserve 8 struct clk_hw slots for for 9FGV0841
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:19:14.361Z

Reserved: 2026-05-01T14:12:55.991Z

Link: CVE-2026-43175

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T12:16:35.967

Modified: 2026-05-12T20:01:25.497

Link: CVE-2026-43175

cve-icon Redhat

Severity :

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43175 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T23:00:12Z

Weaknesses