Description
In the Linux kernel, the following vulnerability has been resolved:

clk: rs9: Reserve 8 struct clk_hw slots for for 9FGV0841

The 9FGV0841 has 8 outputs and registers 8 struct clk_hw, make sure
there are 8 slots for those newly registered clk_hw pointers, else
there is going to be out of bounds write when pointers 4..7 are set
into struct rs9_driver_data .clk_dif[4..7] field.

Since there are other structure members past this struct clk_hw
pointer array, writing to .clk_dif[4..7] fields corrupts both
the struct rs9_driver_data content and data around it, sometimes
without crashing the kernel. However, the kernel does surely
crash when the driver is unbound or during suspend.

Fix this, increase the struct clk_hw pointer array size to the
maximum output count of 9FGV0841, which is the biggest chip that
is supported by this driver.
Published: 2026-05-06
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The kernel’s rs9 driver reserves only eight struct clk_hw slots, but device 9FGV0841 has eight outputs that register eight clk_hw pointers. When the driver writes pointers 4..7 into the clk_dif array, the array bounds are exceeded, overwriting adjacent structure data. This out‑of‑bounds write corrupts the rs9_driver_data structure and adjacent memory, leading to unpredictable kernel behavior. In many cases the system does not crash immediately, but the kernel is guaranteed to crash when the driver is unbound or during suspend, and the memory corruption could be leveraged by a local attacker to achieve privilege escalation or denial of service.

Affected Systems

The vulnerability affects Linux kernel builds that include the rs9 clock driver, before the patch that increases the clk_hw pointer array to accommodate all 8 outputs of the 9FGV0841 device. Versions of the kernel in which this driver is compiled and the device is (or could be) in use are impacted. No specific kernel version range is provided in the advisory, so any kernel that ships the unpatched rs9 driver is potentially vulnerable.

Risk and Exploitability

The vulnerability is an out-of-bounds write that can corrupt kernel memory (CWE‑787). The EPSS score is not available, and the vulnerability is not listed in CISA KEV. Because the flaw occurs in a device driver, the likely attack vector requires the attacker to have local access and the ability to interact with the 9FGV0841 hardware (or to develop a kernel module that loads the driver). A successful exploitation could result in kernel panic or provide a foothold for privilege escalation. The lack of publicly known exploits means risk depends primarily on the exposure of the device and the presence of the patched driver.

Generated by OpenCVE AI on May 6, 2026 at 14:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a Linux kernel update that includes the rs9 driver patch resolving the array size issue.
  • Reboot the system so the updated driver is loaded and the out-of-bounds condition is no longer possible.
  • If an immediate kernel update cannot be applied, disable or unload the rs9 driver or remove the 9FGV0841 device from the system to prevent the vulnerable driver from being loaded until the patch is available.

Generated by OpenCVE AI on May 6, 2026 at 14:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122
CWE-787

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: clk: rs9: Reserve 8 struct clk_hw slots for for 9FGV0841 The 9FGV0841 has 8 outputs and registers 8 struct clk_hw, make sure there are 8 slots for those newly registered clk_hw pointers, else there is going to be out of bounds write when pointers 4..7 are set into struct rs9_driver_data .clk_dif[4..7] field. Since there are other structure members past this struct clk_hw pointer array, writing to .clk_dif[4..7] fields corrupts both the struct rs9_driver_data content and data around it, sometimes without crashing the kernel. However, the kernel does surely crash when the driver is unbound or during suspend. Fix this, increase the struct clk_hw pointer array size to the maximum output count of 9FGV0841, which is the biggest chip that is supported by this driver.
Title clk: rs9: Reserve 8 struct clk_hw slots for for 9FGV0841
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-06T11:27:49.496Z

Reserved: 2026-05-01T14:12:55.991Z

Link: CVE-2026-43175

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:35.967

Modified: 2026-05-06T13:07:51.607

Link: CVE-2026-43175

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T14:15:05Z

Weaknesses