CVE-2026-53082 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf

sixpack_receive_buf() does not properly skip bytes with TTY error flags.
The while loop iterates through the flags buffer but never advances the
data pointer (cp), and passes the original count (including error bytes)
to sixpack_decode(). This causes sixpack_decode() to process bytes that
should have been skipped due to TTY errors. The TTY layer does not
guarantee that cp[i] holds a meaningful value when fp[i] is set, so
passing those positions to sixpack_decode() results in KMSAN reporting
an uninit-value read.

Fix this by processing bytes one at a time, advancing cp on each
iteration, and only passing valid (non-error) bytes to sixpack_decode().
This matches the pattern used by slip_receive_buf() and
mkiss_receive_buf() for the same purpose.

Published: 2026-06-24

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The 6pack hamradio driver in the Linux kernel contains an uninitialized‑value bug: while scanning the TTY error flags buffer the loop fails to advance the data pointer and passes corrupted bytes to the sixpack_decode() function. Because the TTY layer does not guarantee that a byte marked with an error flag holds usable data, the decoder receives garbage values. This leads to KMSAN reports of uninitialized reads. The CVE description does not note a crash, but such uninitialized reads can cause kernel memory corruption or kernel instability, potentially resulting in a denial‑of‑service if an attacker crafts a malicious hamradio packet.

Affected Systems

The vulnerability is located in the Linux kernel hamradio 6pack networking driver. All kernel releases that include the sixpack_receive_buf path before the commit references listed in the advisory are affected. No specific version numbers are provided by the CNA; administrators should verify that their running kernel contains the patch commit hashes shown in the references.

Risk and Exploitability

No public CVSS or EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation would require a specially crafted hamradio packet that reaches the uninitialized‑value code path in the driver. Given the lack of publicly known exploits and the need for the attacker to send data to the hamradio interface, the likelihood of exploitation appears limited; however, the impact could be kernel instability or denial‑of‑service if the bug is successfully triggered.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 1d3abf0c3ddeefc6f6d913aa129acc06fce8240a
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< d4cceb5184538613572fb79319453f281b1eeacb
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 2951656b0de00153f2687f3a093890bce72b6215
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< e9cf4018d74237d142cd66243c821d13593270f0
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< d9ce2a4b679122397d7f35bad7be46913ad1ca80
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 987af7625ceb1ee59d70eb0abd7af11c75e45d79
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 578f3aba427c938fecfa0d8c83d9acb213a9b24a
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< bf9a38803b2626b01cc769aaf13485d8650f576f

Linux

affected

Version	Status	Constraints
`2.6.12`	affected	—
`0`	unaffected	< 2.6.12
`5.10.258`	unaffected	≤ 5.10.*
`5.15.209`	unaffected	≤ 5.15.*
`6.1.175`	unaffected	≤ 6.1.*
`6.6.141`	unaffected	≤ 6.6.*
`6.12.91`	unaffected	≤ 6.12.*
`6.18.33`	unaffected	≤ 6.18.*
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a release that contains the hamradio 6pack uninitialized‑value fix referenced in the advisory commit links.
If a kernel upgrade is not feasible, disable the hamradio interface or the 6pack protocol to prevent the driver from processing packets.
Configure firewall or packet filtering rules to reject malformed hamradio packets or restrict hamradio traffic to trusted hosts only.

Generated by OpenCVE AI on June 24, 2026 at 21:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/1d3abf0c3ddeefc6f6d913aa129acc06fce8240a
https://git.kernel.org/stable/c/2951656b0de00153f2687f3a093890bce72b6215
https://git.kernel.org/stable/c/578f3aba427c938fecfa0d8c83d9acb213a9b24a
https://git.kernel.org/stable/c/987af7625ceb1ee59d70eb0abd7af11c75e45d79
https://git.kernel.org/stable/c/bf9a38803b2626b01cc769aaf13485d8650f576f
https://git.kernel.org/stable/c/d4cceb5184538613572fb79319453f281b1eeacb
https://git.kernel.org/stable/c/d9ce2a4b679122397d7f35bad7be46913ad1ca80
https://git.kernel.org/stable/c/e9cf4018d74237d142cd66243c821d13593270f0

History

Wed, 24 Jun 2026 21:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-457

Wed, 24 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf sixpack_receive_buf() does not properly skip bytes with TTY error flags. The while loop iterates through the flags buffer but never advances the data pointer (cp), and passes the original count (including error bytes) to sixpack_decode(). This causes sixpack_decode() to process bytes that should have been skipped due to TTY errors. The TTY layer does not guarantee that cp[i] holds a meaningful value when fp[i] is set, so passing those positions to sixpack_decode() results in KMSAN reporting an uninit-value read. Fix this by processing bytes one at a time, advancing cp on each iteration, and only passing valid (non-error) bytes to sixpack_decode(). This matches the pattern used by slip_receive_buf() and mkiss_receive_buf() for the same purpose.
Title		net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1d3abf0c3ddeefc6f6d913aa129acc06fce8240a https://git.kernel.org/stable/c/2951656b0de00153f2687f3a093890bce72b6215 https://git.kernel.org/stable/c/578f3aba427c938fecfa0d8c83d9acb213a9b24a https://git.kernel.org/stable/c/987af7625ceb1ee59d70eb0abd7af11c75e45d79 https://git.kernel.org/stable/c/bf9a38803b2626b01cc769aaf13485d8650f576f https://git.kernel.org/stable/c/d4cceb5184538613572fb79319453f281b1eeacb https://git.kernel.org/stable/c/d9ce2a4b679122397d7f35bad7be46913ad1ca80 https://git.kernel.org/stable/c/e9cf4018d74237d142cd66243c821d13593270f0

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T16:30:22.817Z

Updated: 2026-06-24T16:30:22.817Z

Reserved: 2026-06-09T07:44:35.383Z

Link: CVE-2026-53082

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T21:30:04Z

Weaknesses

CWE-457
Use of Uninitialized Variable

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object