CVE-2026-43380 - Vulnerability Details

- hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read

Description

In the Linux kernel, the following vulnerability has been resolved:

hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read

The q54sj108a2_debugfs_read function suffers from a stack buffer overflow
due to incorrect arguments passed to bin2hex(). The function currently
passes 'data' as the destination and 'data_char' as the source.

Because bin2hex() converts each input byte into two hex characters, a
32-byte block read results in 64 bytes of output. Since 'data' is only
34 bytes (I2C_SMBUS_BLOCK_MAX + 2), this writes 30 bytes past the end
of the buffer onto the stack.

Additionally, the arguments were swapped: it was reading from the
zero-initialized 'data_char' and writing to 'data', resulting in
all-zero output regardless of the actual I2C read.

Fix this by:
1. Expanding 'data_char' to 66 bytes to safely hold the hex output.
2. Correcting the bin2hex() argument order and using the actual read count.
3. Using a pointer to select the correct output buffer for the final
simple_read_from_buffer call.

Published: 2026-05-08

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel temperature monitoring subsystem contains a buffer overflow that occurs when the q54sj108a2_debugfs_read function processes a 32-byte block read from an I2C device. Because the bin2hex() helper receives the destination and source pointers swapped, it writes 64 bytes of hex output into a 34-byte buffer, overflowing the stack. The overflow corrupts adjacent kernel memory and can enable a local attacker with access to the /sys/kernel/debug interface to execute arbitrary code or cause a denial of service.

Affected Systems

Affected systems are all Linux kernel releases that include the unpatched pmbus/q54sj108a2 driver, which is part of the standard kernel source tree. The vulnerability is present before the fix committed in the linked kernel patches and disappears in the latest kernel versions that incorporate the patch. Anyone running a kernel that still contains this driver is potentially exposed.

Risk and Exploitability

Risk and exploitability: The flaw is local and requires access to the /sys/kernel/debug interface for the pmbus device. While no public exploit exists yet, the stack overwrite creates a high-impact scenario for privileged escalation, and the absence of an EPSS score does not diminish the potential damage. The vulnerability is not currently catalogued in the CISA KEV list, but its severity warrants immediate patching once a kernel update is available.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`d014538aa38561cd24c5eb228223585f26c5ec71`	affected	< a0fc1b9c738fba231f190ab960c83202722efee5
`d014538aa38561cd24c5eb228223585f26c5ec71`	affected	< c59090c50f62a17129fc4c5407bc4071305a9e82
`d014538aa38561cd24c5eb228223585f26c5ec71`	affected	< 52db5ef163c96f916d424e472fb17aadc35a9f7a
`d014538aa38561cd24c5eb228223585f26c5ec71`	affected	< b48a0f8d4541a4f6651dc9a64430ce9fdf5c120b
`d014538aa38561cd24c5eb228223585f26c5ec71`	affected	< 73a7a345816946d276ad2c46c8bb771de67cfc46
`d014538aa38561cd24c5eb228223585f26c5ec71`	affected	< 24a7b9daa103fa963b3fd37d8805b23e01621976
`d014538aa38561cd24c5eb228223585f26c5ec71`	affected	< 25dd70a03b1f5f3aa71e1a5091ecd9cd2a13ee43

Linux

affected

Version	Status	Constraints
`5.11`	affected	—
`0`	unaffected	< 5.11
`5.15.203`	unaffected	≤ 5.15.*
`6.1.167`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.78`	unaffected	≤ 6.12.*
`6.18.19`	unaffected	≤ 6.18.*
`6.19.9`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Linux kernel update that contains the fix from the provided kernel commit series
If an immediate kernel upgrade is not possible, disable or remove the /sys/kernel/debug interface for the pmbus/q54sj108a2 device or restrict it to trusted users only
Monitor kernel logs (e.g., dmesg, /var/log/kern.log) for signs of crashes or abnormal activity that could indicate exploitation attempts

Generated by OpenCVE AI on May 8, 2026 at 16:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/24a7b9daa103fa963b3fd37d8805b23e01621976
https://git.kernel.org/stable/c/25dd70a03b1f5f3aa71e1a5091ecd9cd2a13ee43
https://git.kernel.org/stable/c/52db5ef163c96f916d424e472fb17aadc35a9f7a
https://git.kernel.org/stable/c/73a7a345816946d276ad2c46c8bb771de67cfc46
https://git.kernel.org/stable/c/a0fc1b9c738fba231f190ab960c83202722efee5
https://git.kernel.org/stable/c/b48a0f8d4541a4f6651dc9a64430ce9fdf5c120b
https://git.kernel.org/stable/c/c59090c50f62a17129fc4c5407bc4071305a9e82

History

Fri, 08 May 2026 16:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119 CWE-787

Fri, 08 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read The q54sj108a2_debugfs_read function suffers from a stack buffer overflow due to incorrect arguments passed to bin2hex(). The function currently passes 'data' as the destination and 'data_char' as the source. Because bin2hex() converts each input byte into two hex characters, a 32-byte block read results in 64 bytes of output. Since 'data' is only 34 bytes (I2C_SMBUS_BLOCK_MAX + 2), this writes 30 bytes past the end of the buffer onto the stack. Additionally, the arguments were swapped: it was reading from the zero-initialized 'data_char' and writing to 'data', resulting in all-zero output regardless of the actual I2C read. Fix this by: 1. Expanding 'data_char' to 66 bytes to safely hold the hex output. 2. Correcting the bin2hex() argument order and using the actual read count. 3. Using a pointer to select the correct output buffer for the final simple_read_from_buffer call.
Title		hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/24a7b9daa103fa963b3fd37d8805b23e01621976 https://git.kernel.org/stable/c/25dd70a03b1f5f3aa71e1a5091ecd9cd2a13ee43 https://git.kernel.org/stable/c/52db5ef163c96f916d424e472fb17aadc35a9f7a https://git.kernel.org/stable/c/73a7a345816946d276ad2c46c8bb771de67cfc46 https://git.kernel.org/stable/c/a0fc1b9c738fba231f190ab960c83202722efee5 https://git.kernel.org/stable/c/b48a0f8d4541a4f6651dc9a64430ce9fdf5c120b https://git.kernel.org/stable/c/c59090c50f62a17129fc4c5407bc4071305a9e82

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-08T14:21:28.702Z

Updated: 2026-05-08T14:21:28.702Z

Reserved: 2026-05-01T14:12:56.006Z

Link: CVE-2026-43380

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-08T15:16:49.207

Modified: 2026-05-08T15:16:49.207

Link: CVE-2026-43380

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-08T16:15:12Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object