Description
In the Linux kernel, the following vulnerability has been resolved:

platform/x86: dell-wmi-sysman: bound enumeration string aggregation

populate_enum_data() aggregates firmware-provided value-modifier
and possible-value strings into fixed 512-byte struct members.
The current code bounds each individual source string but then
appends every string and separator with raw strcat() and no
remaining-space check.

Switch the aggregation loops to a bounded append helper and
reject enumeration packages whose combined strings do not fit
in the destination buffers.

[ij: add include]
Published: 2026-06-24
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Dell WMI SysMan driver for Linux x86 concatenates firmware‐supplied enumeration strings into a fixed 512‑byte buffer using raw strcat() calls without a cumulative length check. Each source string is individually bounded, but the aggregate append operation ignores the remaining space, enabling a buffer overflow if the combined strings exceed the available buffer capacity. An attacker who can supply crafted enumeration data—such as via modified firmware—could trigger this overflow, potentially corrupting kernel memory and leading to a kernel crash, privilege escalation, or denial of service. The vulnerability is thus a kernel memory corruption flaw that directly affects system integrity and availability.

Affected Systems

All Linux kernels that include the Dell WMI SysMan module for the x86 architecture before the patch are affected. The CNA vendor list indicates that the vulnerability applies to Linux:Linux, meaning any distribution shipping the kernel with this module is vulnerable. The driver is an upstream component, so the issue is present in all kernel releases prior to the patch, regardless of vendor or distribution.

Risk and Exploitability

The CVSS score of 7.0 signifies a high severity, while the EPSS score of < 1% and the absence from the CISA KEV catalog suggest that exploitation activity is currently low. However, generating custom enumeration strings in firmware is feasible on systems with Dell hardware, and the lack of safety checks in the aggregation loop leaves the kernel at risk of overflow. Thus, the risk remains moderate to high for administrators managing affected Dell devices, as the flaw could allow privilege escalation or system destabilization. The primary attack vector is inferred to be delivery of malicious firmware enumeration data to the driver.

Generated by OpenCVE AI on June 30, 2026 at 04:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the Dell WMI SysMan patch
  • If an immediate kernel upgrade is not possible, blacklist the module by adding "blacklist dell_wmi" to the appropriate modprobe configuration
  • Ensure that only trusted firmware is loaded by disabling or restricting BIOS firmware update channels
  • Monitor system logs for kernel panics or unexpected crashes related to the Dell WMI interface

Generated by OpenCVE AI on June 30, 2026 at 04:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Tue, 30 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-122

Tue, 30 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Tue, 30 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate


Wed, 24 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: platform/x86: dell-wmi-sysman: bound enumeration string aggregation populate_enum_data() aggregates firmware-provided value-modifier and possible-value strings into fixed 512-byte struct members. The current code bounds each individual source string but then appends every string and separator with raw strcat() and no remaining-space check. Switch the aggregation loops to a bounded append helper and reject enumeration packages whose combined strings do not fit in the destination buffers. [ij: add include]
Title platform/x86: dell-wmi-sysman: bound enumeration string aggregation
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:29:31.552Z

Reserved: 2026-06-09T07:44:35.379Z

Link: CVE-2026-53022

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-53022 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T05:00:04Z

Weaknesses
  • CWE-119

    Improper Restriction of Operations within the Bounds of a Memory Buffer

  • CWE-122

    Heap-based Buffer Overflow