CVE-2026-23092 in Linuxinfo

Summary

by MITRE • 02/04/2026

In the Linux kernel, the following vulnerability has been resolved:

iio: dac: ad3552r-hs: fix out-of-bound write in ad3552r_hs_write_data_source

When simple_write_to_buffer() succeeds, it returns the number of bytes actually copied to the buffer. The code incorrectly uses 'count' as the index for null termination instead of the actual bytes copied. If count exceeds the buffer size, this leads to out-of-bounds write. Add a check for the count and use the return value as the index.

The bug was validated using a demo module that mirrors the original code and was tested under QEMU.

Pattern of the bug: - A fixed 64-byte stack buffer is filled using count. - If count > 64, the code still does buf[count] = '\0', causing an
- out-of-bounds write on the stack.

Steps for reproduce: - Opens the device node. - Writes 128 bytes of A to it. - This overflows the 64-byte stack buffer and KASAN reports the OOB.

Found via static analysis. This is similar to the commit da9374819eb3 ("iio: backend: fix out-of-bound write")

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 05/03/2026

The vulnerability CVE-2026-23092 represents a critical out-of-bounds write flaw in the Linux kernel's industrial I/O subsystem, specifically affecting the ad3552r-hs digital-to-analog converter driver. This issue resides within the ad3552r_hs_write_data_source function where improper buffer handling leads to memory corruption. The flaw demonstrates a classic buffer overflow pattern that occurs when developers fail to properly validate input parameters against buffer boundaries. The vulnerability is particularly concerning as it affects kernel-level drivers that handle hardware communication, potentially enabling privilege escalation or system instability. The bug manifests when the simple_write_to_buffer() function successfully processes data, returning the actual number of bytes copied, but the code incorrectly utilizes the original count parameter instead of the returned byte count for null termination operations. This misalignment creates a scenario where buffer overflows occur when input data exceeds the allocated 64-byte stack buffer size.

The technical implementation of this vulnerability stems from improper bounds checking in kernel memory management operations. When a user-space application writes data to the device node, the driver's write function processes the input through simple_write_to_buffer() which correctly returns the number of bytes actually copied to the internal buffer. However, the subsequent code incorrectly uses the original input count value for null termination operations, rather than the actual bytes copied. This creates a condition where if count exceeds the 64-byte buffer limit, the code attempts to write a null terminator at buf[count] position, causing memory corruption beyond the allocated buffer boundaries. The vulnerability pattern follows CWE-121, which describes stack-based buffer overflow conditions, and specifically manifests as a CWE-787, out-of-bounds write, in kernel space. The flaw is particularly dangerous because it operates in kernel context where memory corruption can lead to complete system compromise rather than just application-level crashes.

The operational impact of CVE-2026-23092 extends beyond simple memory corruption to potentially enable arbitrary code execution within kernel space. Attackers can exploit this vulnerability by opening the device node and writing more than 64 bytes of data, which triggers the out-of-bounds write condition. The kernel's KASAN (Kernel Address Sanitizer) framework detects this condition and reports the out-of-bounds write, confirming the vulnerability's presence. This type of vulnerability aligns with ATT&CK technique T1068, which covers local privilege escalation through kernel exploits, and T1547.001, covering registry run keys and startup folder. The vulnerability affects systems running Linux kernels that include the affected IIO DAC driver, particularly those utilizing the ad3552r-hs hardware, and could be exploited in embedded systems, industrial control environments, or any platform where this specific hardware driver is implemented.

Mitigation strategies for CVE-2026-23092 require immediate kernel updates that implement proper bounds checking and use of return values from buffer operations. The fix involves replacing the incorrect count-based indexing with the actual bytes copied as returned by simple_write_to_buffer() function, ensuring that null termination occurs within proper buffer boundaries. System administrators should prioritize patching affected kernel versions and monitoring for exploitation attempts through kernel logs and KASAN reports. Additionally, implementing proper input validation at the driver level and using kernel hardening features such as stack canaries and kernel address space layout randomization can provide additional protection layers. The vulnerability's similarity to previously fixed commits like da9374819eb3 indicates that this is a well-known pattern in kernel driver development, making it crucial for maintainers to apply consistent defensive programming practices. Organizations should also consider implementing runtime monitoring for suspicious device node access patterns and establish procedures for reviewing kernel driver code changes to prevent similar issues in the future.

Responsible

Linux

Reservation

01/13/2026

Disclosure

02/04/2026

Moderation

accepted

CPE

ready

EPSS

0.00186

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!