Impact
In the Linux kernel hwmon driver for the pt5161l sensor, the pt5161l_read_block_data() function declared a 24‑byte buffer but the I2C SMBus protocol can return up to 32 bytes. When a device supplies the maximum length, the kernel copies the data before validating the length, allowing a stack overrun that can corrupt adjacent memory. A second flaw causes the function to return a positive byte count even when retries fail due to an unexpected length, leading callers to process stale or incomplete data. These issues represent a stack-based buffer overflow (CWE‑119) and improper length validation (CWE‑20).
Affected Systems
All Linux kernel versions that include the pt5161l hwmon driver before the commit that fixes the bugs are affected. Systems running any distribution or custom kernel that loads this driver are exposed, regardless of version.
Risk and Exploitability
The vulnerability is exploitable when an I2C device returns more data than the buffer can hold or provides mismatched lengths after all retries. The likely attack vector is local hardware access or a malicious device on the I2C bus, so an attacker would need control over that bus. EPSS is < 1% and the issue is not listed in the CISA KEV catalog. With a CVSS score of 7.8, the risk is significant for kernel integrity, indicating a high potential for causing system disruption if exploited.
OpenCVE Enrichment
Ubuntu USN