Description
In the Linux kernel, the following vulnerability has been resolved:

net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler

t7xx_port_enum_msg_handler() uses the modem-supplied port_count field as
a loop bound over port_msg->data[] without checking that the message buffer
contains sufficient data. A modem sending port_count=65535 in a 12-byte
buffer triggers a slab-out-of-bounds read of up to 262140 bytes.

Add a sizeof(*port_msg) check before accessing the port message header
fields to guard against undersized messages.

Add a struct_size() check after extracting port_count and before the loop.

In t7xx_parse_host_rt_data(), guard the rt_feature header read with a
remaining-buffer check before accessing data_len, validate feat_data_len
against the actual remaining buffer to prevent OOB reads and signed
integer overflow on offset.

Pass msg_len from both call sites: skb->len at the DPMAIF path after
skb_pull(), and the validated feat_data_len at the handshake path.
Published: 2026-05-21
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A Linux kernel WWAN driver for T7xx modems uses a modem‑supplied port_count value as a loop bound without checking that the surrounding message buffer contains enough data. When a modem sends a port_count of 65535 in a very short 12‑byte payload, the driver performs an out‑of‑bounds read of up to 262 140 bytes from kernel memory, potentially exposing sensitive data. The vulnerability also mentions a signed integer overflow, but it is not confirmed whether this leads to further memory corruption.

Affected Systems

All Linux kernel releases that include the t7xx WWAN driver before the patch has been applied; this includes any system that loads the T7xx modem driver and accepts messages from an external modem interface.

Risk and Exploitability

An attacker who can control or spoof messages sent to the WWAN interface can trigger the malformed port_count exploit, enabling the reading of arbitrary kernel memory. No public exploit is known and the signed integer overflow is not confirmed to produce additional damage. Because the bug is not listed in the CISA KEV catalog and no exploit metrics are available, the risk is limited primarily to information disclosure in environments where untrusted modems are accepted. The lack of bounds checks may increase the likelihood of successful exploitation, as inferred from the text.

Generated by OpenCVE AI on May 21, 2026 at 15:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the patch fixing the out‑of‑bounds read in t7xx_port_enum_msg_handler.
  • If an immediate kernel upgrade is not possible, block the device from accepting traffic from untrusted modems by disabling WWAN services or applying strict access controls on the modem interface.
  • Verify that the kernel configuration does not expose the vulnerable driver to unprivileged users, and monitor for anomalous WWAN traffic that could indicate an attempt to exploit the flaw.

Generated by OpenCVE AI on May 21, 2026 at 15:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 15:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120

Thu, 21 May 2026 12:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler t7xx_port_enum_msg_handler() uses the modem-supplied port_count field as a loop bound over port_msg->data[] without checking that the message buffer contains sufficient data. A modem sending port_count=65535 in a 12-byte buffer triggers a slab-out-of-bounds read of up to 262140 bytes. Add a sizeof(*port_msg) check before accessing the port message header fields to guard against undersized messages. Add a struct_size() check after extracting port_count and before the loop. In t7xx_parse_host_rt_data(), guard the rt_feature header read with a remaining-buffer check before accessing data_len, validate feat_data_len against the actual remaining buffer to prevent OOB reads and signed integer overflow on offset. Pass msg_len from both call sites: skb->len at the DPMAIF path after skb_pull(), and the validated feat_data_len at the handshake path.
Title net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-21T12:12:45.988Z

Reserved: 2026-05-01T14:12:56.013Z

Link: CVE-2026-43495

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-21T13:16:18.847

Modified: 2026-05-21T13:16:18.847

Link: CVE-2026-43495

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T15:30:13Z

Weaknesses