Description
In the Linux kernel, the following vulnerability has been resolved:

net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf

sixpack_receive_buf() does not properly skip bytes with TTY error flags.
The while loop iterates through the flags buffer but never advances the
data pointer (cp), and passes the original count (including error bytes)
to sixpack_decode(). This causes sixpack_decode() to process bytes that
should have been skipped due to TTY errors. The TTY layer does not
guarantee that cp[i] holds a meaningful value when fp[i] is set, so
passing those positions to sixpack_decode() results in KMSAN reporting
an uninit-value read.

Fix this by processing bytes one at a time, advancing cp on each
iteration, and only passing valid (non-error) bytes to sixpack_decode().
This matches the pattern used by slip_receive_buf() and
mkiss_receive_buf() for the same purpose.
Published: 2026-06-24
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

sixpack_receive_buf() in the Linux kernel hamradio driver does not properly skip bytes with TTY error flags. The loop iterates through the flags buffer but never advances the data pointer, and passes the original count—including error bytes—to sixpack_decode(). Because the TTY layer does not guarantee that cp[i] holds a meaningful value when fp[i] is set, passing those positions to sixpack_decode() results in KMSAN reporting an uninitialized value read. The fix changes the loop to process bytes one at a time, advancing cp on each iteration and only passing valid (non‑error) bytes to sixpack_decode().

Affected Systems

The vulnerability is located in the Linux kernel hamradio 6pack networking driver. All kernel releases that include the sixpack_receive_buf path before the commit references listed in the advisory are affected. Administrators should verify that their running kernel contains the patch commit hashes shown in the references.

Risk and Exploitability

The EPSS score is below 1%, indicating a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require an attacker to send a specially crafted hamradio packet that reaches the uninitialized‑value code path in the driver, potentially triggering KMSAN reports or undefined behavior. No public exploits or evidence of crash have been reported. The impact is limited to the detection of an uninitialized read and any downstream effects are not explicitly documented.

Generated by OpenCVE AI on June 26, 2026 at 05:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a release that contains the hamradio 6pack uninitialized‑value fix referenced in the advisory commit links.
  • If a kernel upgrade is not feasible, disable the hamradio interface or the 6pack protocol to prevent the driver from processing packets.
  • Configure firewall or packet filtering rules to reject malformed hamradio packets or restrict hosts only.

Generated by OpenCVE AI on June 26, 2026 at 05:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Fri, 26 Jun 2026 04:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-457

Fri, 26 Jun 2026 00:15:00 +0000


Wed, 24 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-457

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf sixpack_receive_buf() does not properly skip bytes with TTY error flags. The while loop iterates through the flags buffer but never advances the data pointer (cp), and passes the original count (including error bytes) to sixpack_decode(). This causes sixpack_decode() to process bytes that should have been skipped due to TTY errors. The TTY layer does not guarantee that cp[i] holds a meaningful value when fp[i] is set, so passing those positions to sixpack_decode() results in KMSAN reporting an uninit-value read. Fix this by processing bytes one at a time, advancing cp on each iteration, and only passing valid (non-error) bytes to sixpack_decode(). This matches the pattern used by slip_receive_buf() and mkiss_receive_buf() for the same purpose.
Title net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:30:22.817Z

Reserved: 2026-06-09T07:44:35.383Z

Link: CVE-2026-53082

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity :

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-53082 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T05:30:17Z

Weaknesses
  • CWE-824

    Access of Uninitialized Pointer