CVE-2026-23092 (GCVE-0-2026-23092)

Vulnerability from cvelistv5 – Published: 2026-02-04 16:08 – Updated: 2026-02-09 08:38
VLAI?
Title
iio: dac: ad3552r-hs: fix out-of-bound write in ad3552r_hs_write_data_source
Summary
In the Linux kernel, the following vulnerability has been resolved: iio: dac: ad3552r-hs: fix out-of-bound write in ad3552r_hs_write_data_source When simple_write_to_buffer() succeeds, it returns the number of bytes actually copied to the buffer. The code incorrectly uses 'count' as the index for null termination instead of the actual bytes copied. If count exceeds the buffer size, this leads to out-of-bounds write. Add a check for the count and use the return value as the index. The bug was validated using a demo module that mirrors the original code and was tested under QEMU. Pattern of the bug: - A fixed 64-byte stack buffer is filled using count. - If count > 64, the code still does buf[count] = '\0', causing an - out-of-bounds write on the stack. Steps for reproduce: - Opens the device node. - Writes 128 bytes of A to it. - This overflows the 64-byte stack buffer and KASAN reports the OOB. Found via static analysis. This is similar to the commit da9374819eb3 ("iio: backend: fix out-of-bound write")
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: b1c5d68ea66e511dfb16cd0e6a730488bd3c3317 , < db16e7c52032c79156930a337ee17232931794ba (git)
Affected: b1c5d68ea66e511dfb16cd0e6a730488bd3c3317 , < 978d28136c53df38f8f0b747191930e2f95e9084 (git)
Create a notification for this product.
    Linux Linux Affected: 6.16
Unaffected: 0 , < 6.16 (semver)
Unaffected: 6.18.8 , ≤ 6.18.* (semver)
Unaffected: 6.19 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/iio/dac/ad3552r-hs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "db16e7c52032c79156930a337ee17232931794ba",
              "status": "affected",
              "version": "b1c5d68ea66e511dfb16cd0e6a730488bd3c3317",
              "versionType": "git"
            },
            {
              "lessThan": "978d28136c53df38f8f0b747191930e2f95e9084",
              "status": "affected",
              "version": "b1c5d68ea66e511dfb16cd0e6a730488bd3c3317",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/iio/dac/ad3552r-hs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.16"
            },
            {
              "lessThan": "6.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.8",
                  "versionStartIncluding": "6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19",
                  "versionStartIncluding": "6.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: dac: ad3552r-hs: fix out-of-bound write in ad3552r_hs_write_data_source\n\nWhen simple_write_to_buffer() succeeds, it returns the number of bytes\nactually copied to the buffer. The code incorrectly uses \u0027count\u0027\nas the index for null termination instead of the actual bytes copied.\nIf count exceeds the buffer size, this leads to out-of-bounds write.\nAdd a check for the count and use the return value as the index.\n\nThe bug was validated using a demo module that mirrors the original\ncode and was tested under QEMU.\n\nPattern of the bug:\n- A fixed 64-byte stack buffer is filled using count.\n- If count \u003e 64, the code still does buf[count] = \u0027\\0\u0027, causing an\n- out-of-bounds write on the stack.\n\nSteps for reproduce:\n- Opens the device node.\n- Writes 128 bytes of A to it.\n- This overflows the 64-byte stack buffer and KASAN reports the OOB.\n\nFound via static analysis. This is similar to the\ncommit da9374819eb3 (\"iio: backend: fix out-of-bound write\")"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-09T08:38:32.433Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/db16e7c52032c79156930a337ee17232931794ba"
        },
        {
          "url": "https://git.kernel.org/stable/c/978d28136c53df38f8f0b747191930e2f95e9084"
        }
      ],
      "title": "iio: dac: ad3552r-hs: fix out-of-bound write in ad3552r_hs_write_data_source",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23092",
    "datePublished": "2026-02-04T16:08:15.203Z",
    "dateReserved": "2026-01-13T15:37:45.962Z",
    "dateUpdated": "2026-02-09T08:38:32.433Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-23092\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-02-04T17:16:20.083\",\"lastModified\":\"2026-03-17T21:09:20.000\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\niio: dac: ad3552r-hs: fix out-of-bound write in ad3552r_hs_write_data_source\\n\\nWhen simple_write_to_buffer() succeeds, it returns the number of bytes\\nactually copied to the buffer. The code incorrectly uses \u0027count\u0027\\nas the index for null termination instead of the actual bytes copied.\\nIf count exceeds the buffer size, this leads to out-of-bounds write.\\nAdd a check for the count and use the return value as the index.\\n\\nThe bug was validated using a demo module that mirrors the original\\ncode and was tested under QEMU.\\n\\nPattern of the bug:\\n- A fixed 64-byte stack buffer is filled using count.\\n- If count \u003e 64, the code still does buf[count] = \u0027\\\\0\u0027, causing an\\n- out-of-bounds write on the stack.\\n\\nSteps for reproduce:\\n- Opens the device node.\\n- Writes 128 bytes of A to it.\\n- This overflows the 64-byte stack buffer and KASAN reports the OOB.\\n\\nFound via static analysis. This is similar to the\\ncommit da9374819eb3 (\\\"iio: backend: fix out-of-bound write\\\")\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\\n\\niio: dac: ad3552r-hs: correcci\u00f3n de escritura fuera de l\u00edmites en ad3552r_hs_write_data_source\\n\\nCuando simple_write_to_buffer() tiene \u00e9xito, devuelve el n\u00famero de bytes realmente copiados al b\u00fafer. El c\u00f3digo usa incorrectamente \u0027count\u0027 como \u00edndice para la terminaci\u00f3n nula en lugar de los bytes realmente copiados. Si count excede el tama\u00f1o del b\u00fafer, esto lleva a una escritura fuera de l\u00edmites. A\u00f1adir una comprobaci\u00f3n para count y usar el valor de retorno como \u00edndice.\\n\\nEl error fue validado usando un m\u00f3dulo de demostraci\u00f3n que refleja el c\u00f3digo original y fue probado bajo QEMU.\\n\\nPatr\u00f3n del error:\\n- Un b\u00fafer de pila fijo de 64 bytes se llena usando count.\\n- Si count \u0026gt; 64, el c\u00f3digo a\u00fan hace buf[count] = \u0027\\\\0\u0027, causando una\\n- escritura fuera de l\u00edmites en la pila.\\n\\nPasos para reproducir:\\n- Abre el nodo del dispositivo.\\n- Escribe 128 bytes de A en \u00e9l.\\n- Esto desborda el b\u00fafer de pila de 64 bytes y KASAN reporta el OOB.\\n\\nEncontrado mediante an\u00e1lisis est\u00e1tico. Esto es similar al\\ncommit da9374819eb3 (\u0027iio: backend: correcci\u00f3n de escritura fuera de l\u00edmites\u0027)\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-787\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.16\",\"versionEndExcluding\":\"6.18.8\",\"matchCriteriaId\":\"467E1359-7F6A-4790-AC45-172024944460\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"17B67AA7-40D6-4AFA-8459-F200F3D7CFD1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"C47E4CC9-C826-4FA9-B014-7FE3D9B318B2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"F71D92C0-C023-48BD-B3B6-70B638EEE298\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"13580667-0A98-40CC-B29F-D12790B91BDB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*\",\"matchCriteriaId\":\"3EF854A1-ABB1-4E93-BE9A-44569EC76C0D\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/978d28136c53df38f8f0b747191930e2f95e9084\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/db16e7c52032c79156930a337ee17232931794ba\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.