PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-31768 Linux CVE debrief

CVE-2026-31768 is a Linux kernel bug in the ti-adc161s626 IIO ADC driver where spi_read() used stack memory instead of DMA-safe storage. The upstream fix replaces that buffer handling with a DMA-safe u8[] buffer and adjusts the byte conversion logic accordingly. NVD rates the issue High (CVSS 7.8) with local attack requirements, no user interaction, and high impacts to confidentiality, integrity, and availability.

Vendor
Linux
Product
CVE-2026-31768
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-01
Original CVE updated
2026-05-11
Advisory published
2026-05-01
Advisory updated
2026-05-11

Who should care

Linux kernel maintainers, distribution security teams, and embedded/device teams that build or ship kernels with the ti-adc161s626 ADC driver enabled. Operators of systems running affected kernel versions should also pay attention, especially where the driver is present in production or vendor kernels.

Technical summary

The vulnerability is in the Linux kernel IIO ADC path for TI's ADC161S626 driver. The issue is specifically that spi_read() was given stack-based memory, which is not DMA-safe. The fix introduces a DMA-safe buffer and uses a u8[] because the driver only needs up to 3 bytes, then updates the conversion functions to match. NVD lists affected Linux kernel branches as 4.9 through before 6.1.168, 6.2 through before 6.6.134, 6.7 through before 6.12.81, 6.13 through before 6.18.22, 6.19 through before 6.19.12, and 7.0-rc1 through 7.0-rc6.

Defensive priority

High

Recommended defensive actions

  • Prioritize upgrading to a kernel release that includes the ti-adc161s626 DMA-safe buffer fix.
  • Verify whether your fleet or vendor kernel includes the ti-adc161s626 IIO ADC driver and whether the affected version ranges apply.
  • If you maintain a downstream kernel, backport the upstream patch series referenced in the NVD record.
  • Track vendor advisories and build metadata for embedded products that may ship this driver in customized kernels.
  • For exposed systems, confirm kernel packages are updated and rebooted into the fixed build.

Evidence notes

CVE published in the supplied record on 2026-05-01 and modified on 2026-05-11. The NVD record describes the issue as a Linux kernel IIO ADC driver fix: 'use DMA-safe memory for spi_read()' and notes that all SPI buffers must be DMA-safe. NVD marks the vulnerability as analyzed, with CVSS vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The record lists patch references on git.kernel.org and affected Linux kernel CPE ranges ending before 6.1.168, 6.6.134, 6.12.81, 6.18.22, and 6.19.12, plus 7.0-rc1 through rc6.

Official resources

Officially published in the supplied CVE/NVD record on 2026-05-01 and last modified on 2026-05-11. No KEV listing is present in the supplied data.