Impact
sixpack_receive_buf() in the Linux kernel hamradio driver does not properly skip bytes with TTY error flags. The loop iterates through the flags buffer but never advances the data pointer, and passes the original count—including error bytes—to sixpack_decode(). Because the TTY layer does not guarantee that cp[i] holds a meaningful value when fp[i] is set, passing those positions to sixpack_decode() results in KMSAN reporting an uninitialized value read. The fix changes the loop to process bytes one at a time, advancing cp on each iteration and only passing valid (non‑error) bytes to sixpack_decode().
Affected Systems
The vulnerability is located in the Linux kernel hamradio 6pack networking driver. All kernel releases that include the sixpack_receive_buf path before the commit references listed in the advisory are affected. Administrators should verify that their running kernel contains the patch commit hashes shown in the references.
Risk and Exploitability
The EPSS score is below 1%, indicating a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require an attacker to send a specially crafted hamradio packet that reaches the uninitialized‑value code path in the driver, potentially triggering KMSAN reports or undefined behavior. No public exploits or evidence of crash have been reported. The impact is limited to the detection of an uninitialized read and any downstream effects are not explicitly documented.
OpenCVE Enrichment
Debian DLA