GHSA-33FQ-H3X2-M8V9

Vulnerability from github – Published: 2026-06-24 18:32 – Updated: 2026-06-24 18:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf

sixpack_receive_buf() does not properly skip bytes with TTY error flags. The while loop iterates through the flags buffer but never advances the data pointer (cp), and passes the original count (including error bytes) to sixpack_decode(). This causes sixpack_decode() to process bytes that should have been skipped due to TTY errors. The TTY layer does not guarantee that cp[i] holds a meaningful value when fp[i] is set, so passing those positions to sixpack_decode() results in KMSAN reporting an uninit-value read.

Fix this by processing bytes one at a time, advancing cp on each iteration, and only passing valid (non-error) bytes to sixpack_decode(). This matches the pattern used by slip_receive_buf() and mkiss_receive_buf() for the same purpose.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-53082"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-24T17:17:22Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hamradio: 6pack: fix uninit-value in sixpack_receive_buf\n\nsixpack_receive_buf() does not properly skip bytes with TTY error flags.\nThe while loop iterates through the flags buffer but never advances the\ndata pointer (cp), and passes the original count (including error bytes)\nto sixpack_decode(). This causes sixpack_decode() to process bytes that\nshould have been skipped due to TTY errors.  The TTY layer does not\nguarantee that cp[i] holds a meaningful value when fp[i] is set, so\npassing those positions to sixpack_decode() results in KMSAN reporting\nan uninit-value read.\n\nFix this by processing bytes one at a time, advancing cp on each\niteration, and only passing valid (non-error) bytes to sixpack_decode().\nThis matches the pattern used by slip_receive_buf() and\nmkiss_receive_buf() for the same purpose.",
  "id": "GHSA-33fq-h3x2-m8v9",
  "modified": "2026-06-24T18:32:46Z",
  "published": "2026-06-24T18:32:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53082"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1d3abf0c3ddeefc6f6d913aa129acc06fce8240a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2951656b0de00153f2687f3a093890bce72b6215"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/578f3aba427c938fecfa0d8c83d9acb213a9b24a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/987af7625ceb1ee59d70eb0abd7af11c75e45d79"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bf9a38803b2626b01cc769aaf13485d8650f576f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d4cceb5184538613572fb79319453f281b1eeacb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d9ce2a4b679122397d7f35bad7be46913ad1ca80"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e9cf4018d74237d142cd66243c821d13593270f0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…