Description
In the Linux kernel, the following vulnerability has been resolved:

hwmon: (pt5161l) Fix bugs in pt5161l_read_block_data()

Fix two bugs in pt5161l_read_block_data():

1. Buffer overrun: The local buffer rbuf is declared as u8 rbuf[24],
but i2c_smbus_read_block_data() can return up to
I2C_SMBUS_BLOCK_MAX (32) bytes. The i2c-core copies the data into
the caller's buffer before the return value can be checked, so
the post-read length validation does not prevent a stack overrun
if a device returns more than 24 bytes. Resize the buffer to
I2C_SMBUS_BLOCK_MAX.

2. Unexpected positive return on length mismatch: When all three
retries are exhausted because the device returns data with an
unexpected length, i2c_smbus_read_block_data() returns a positive
byte count. The function returns this directly, and callers treat
any non-negative return as success, processing stale or incomplete
buffer contents. Return -EIO when retries are exhausted with a
positive return value, preserving the negative error code on I2C
failure.
Published: 2026-05-27
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel hwmon driver for the pt5161l sensor, the pt5161l_read_block_data() function declared a 24‑byte buffer but the I2C SMBus protocol can return up to 32 bytes. When a device supplies the maximum length, the kernel copies the data before validating the length, allowing a stack overrun that can corrupt adjacent memory. A second flaw causes the function to return a positive byte count even when retries fail due to an unexpected length, leading callers to process stale or incomplete data. These issues represent a stack-based buffer overflow (CWE‑119) and improper length validation (CWE‑20).

Affected Systems

All Linux kernel versions that include the pt5161l hwmon driver before the commit that fixes the bugs are affected. Systems running any distribution or custom kernel that loads this driver are exposed, regardless of version.

Risk and Exploitability

The vulnerability is exploitable when an I2C device returns more data than the buffer can hold or provides mismatched lengths after all retries. The likely attack vector is local hardware access or a malicious device on the I2C bus, so an attacker would need control over that bus. EPSS is not available and the issue is not listed in the CISA KEV catalog. Without an explicit CVSS score, the risk is considered significant for kernel integrity, but the precise severity cannot be quantified from the supplied data.

Generated by OpenCVE AI on May 28, 2026 at 03:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the pt5161l_read_block_data() fix.
  • If an update is not possible, blacklist or remove the pt5161l driver module so the vulnerable function is never invoked.
  • Restrict access to the I2C bus to trusted users or applications, preventing untrusted code from sending crafted packets that trigger the vulnerable read operation.

Generated by OpenCVE AI on May 28, 2026 at 03:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-131
References

Wed, 27 May 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-20

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: hwmon: (pt5161l) Fix bugs in pt5161l_read_block_data() Fix two bugs in pt5161l_read_block_data(): 1. Buffer overrun: The local buffer rbuf is declared as u8 rbuf[24], but i2c_smbus_read_block_data() can return up to I2C_SMBUS_BLOCK_MAX (32) bytes. The i2c-core copies the data into the caller's buffer before the return value can be checked, so the post-read length validation does not prevent a stack overrun if a device returns more than 24 bytes. Resize the buffer to I2C_SMBUS_BLOCK_MAX. 2. Unexpected positive return on length mismatch: When all three retries are exhausted because the device returns data with an unexpected length, i2c_smbus_read_block_data() returns a positive byte count. The function returns this directly, and callers treat any non-negative return as success, processing stale or incomplete buffer contents. Return -EIO when retries are exhausted with a positive return value, preserving the negative error code on I2C failure.
Title hwmon: (pt5161l) Fix bugs in pt5161l_read_block_data()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:47:16.457Z

Reserved: 2026-05-13T15:03:33.091Z

Link: CVE-2026-46001

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T14:17:17.760

Modified: 2026-06-16T15:26:30.813

Link: CVE-2026-46001

cve-icon Redhat

Severity :

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46001 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T03:15:05Z

Weaknesses
  • CWE-119

    Improper Restriction of Operations within the Bounds of a Memory Buffer

  • CWE-131

    Incorrect Calculation of Buffer Size

  • CWE-20

    Improper Input Validation

  • CWE-787

    Out-of-bounds Write