Description
In the Linux kernel, the following vulnerability has been resolved:

hwmon: (pt5161l) Fix bugs in pt5161l_read_block_data()

Fix two bugs in pt5161l_read_block_data():

1. Buffer overrun: The local buffer rbuf is declared as u8 rbuf[24],
but i2c_smbus_read_block_data() can return up to
I2C_SMBUS_BLOCK_MAX (32) bytes. The i2c-core copies the data into
the caller's buffer before the return value can be checked, so
the post-read length validation does not prevent a stack overrun
if a device returns more than 24 bytes. Resize the buffer to
I2C_SMBUS_BLOCK_MAX.

2. Unexpected positive return on length mismatch: When all three
retries are exhausted because the device returns data with an
unexpected length, i2c_smbus_read_block_data() returns a positive
byte count. The function returns this directly, and callers treat
any non-negative return as success, processing stale or incomplete
buffer contents. Return -EIO when retries are exhausted with a
positive return value, preserving the negative error code on I2C
failure.
Published: 2026-05-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel’s hwmon driver for the pt5161l sensor, the pt5161l_read_block_data() function allocated a 24‑byte buffer while the I2C SMBus protocol can return up to 32 bytes. This buffer overrun allows a device that supplies the maximum length to corrupt adjacent stack memory, potentially enabling execution of arbitrary code in kernel mode. In addition, the function incorrectly propagates a positive byte count when retries fail due to a length mismatch, causing callers to process stale or incomplete data. The combined flaws represent a stack‑based buffer overflow (CWE‑119) and improper input validation (CWE‑20). The likely attack vector is local hardware access or a malicious I2C device; based on the description, it is inferred that an attacker would need control over the I2C bus to trigger the overflow.

Affected Systems

All Linux kernel versions that ship the pt5161l hwmon driver before the commit that introduces the bug fix are affected. Users running any distribution or custom kernel that loads this driver are exposed.

Risk and Exploitability

The vulnerability is exploitable when an I2C device returns more data than the buffer can hold or supplies mismatched lengths after all retries are exhausted. Attack requires local access to the I2C bus or control over a malicious device that can send crafted packets; this is inferred because the function operates on hardware input. EPSS is not available and the vulnerability is not listed in CISA KEV. While the CVSS score was not specified, a kernel buffer overflow is normally considered high severity, and the risk is significant for systems that expose the pt5161l sensor.

Generated by OpenCVE AI on May 27, 2026 at 18:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a kernel version that contains the pt5161l_read_block_data() fix.
  • If an upgrade is not possible, remove or blacklist the pt5161l module or disable the driver so the vulnerable function is never called.
  • Restrict I2C bus access to trusted users or applications, preventing untrusted code from triggering the faulty read operation. The steps above are based on the relevant CWE identifiers for buffer overrun and input validation.

Generated by OpenCVE AI on May 27, 2026 at 18:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-20

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: hwmon: (pt5161l) Fix bugs in pt5161l_read_block_data() Fix two bugs in pt5161l_read_block_data(): 1. Buffer overrun: The local buffer rbuf is declared as u8 rbuf[24], but i2c_smbus_read_block_data() can return up to I2C_SMBUS_BLOCK_MAX (32) bytes. The i2c-core copies the data into the caller's buffer before the return value can be checked, so the post-read length validation does not prevent a stack overrun if a device returns more than 24 bytes. Resize the buffer to I2C_SMBUS_BLOCK_MAX. 2. Unexpected positive return on length mismatch: When all three retries are exhausted because the device returns data with an unexpected length, i2c_smbus_read_block_data() returns a positive byte count. The function returns this directly, and callers treat any non-negative return as success, processing stale or incomplete buffer contents. Return -EIO when retries are exhausted with a positive return value, preserving the negative error code on I2C failure.
Title hwmon: (pt5161l) Fix bugs in pt5161l_read_block_data()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:55:56.128Z

Reserved: 2026-05-13T15:03:33.091Z

Link: CVE-2026-46001

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:17.760

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46001

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T18:45:39Z

Weaknesses