PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43380 Linux CVE debrief

CVE-2026-43380 is a Linux kernel vulnerability in the hwmon/pmbus q54sj108a2 debugfs read path. The bug can overflow a stack buffer when hex output is generated with bin2hex() using the wrong destination/source arguments and insufficient output space. NVD rates the issue HIGH with local, low-privilege access required.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-20
Advisory published
2026-05-08
Advisory updated
2026-05-20

Who should care

Linux kernel maintainers, distribution security teams, and operators running kernels that include the q54sj108a2 hwmon driver should prioritize this. Systems exposing debugfs or using affected kernel releases are most relevant, especially where local users can reach the path.

Technical summary

According to the CVE description, q54sj108a2_debugfs_read passes the arguments to bin2hex() in the wrong order, writing hex output into a 34-byte stack buffer that cannot hold the 64-byte result of a 32-byte block read. The same bug also causes the function to read from a zero-initialized buffer, so the output is incorrect even when it does not overflow. The described fix expands the temporary buffer, corrects the bin2hex() argument order, and uses the actual read length before copying the final data to userspace. NVD maps the weakness to CWE-125 and scores the issue CVSS 3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Defensive priority

High. The vulnerability is locally reachable and rated HIGH severity, with potential impact to confidentiality, integrity, and availability. Patch and upgrade quickly on any system running affected Linux kernel versions, particularly if the q54sj108a2 driver is present.

Recommended defensive actions

  • Upgrade to a kernel release that includes the fix referenced by the official stable patch links.
  • Prioritize patched kernel packages for affected LTS and mainline branches listed by NVD.
  • If immediate upgrading is not possible, reduce local access to the system and limit exposure of debugfs where operationally feasible.
  • Verify whether the q54sj108a2 hwmon driver is present in your kernel build or vendor tree.
  • Track vendor backports for the affected kernel versions before marking hosts remediated.

Evidence notes

This debrief is based on the CVE description and NVD metadata supplied in the source corpus. NVD published the CVE on 2026-05-08 and last modified it on 2026-05-20. The official references include multiple git.kernel.org stable patch links, which support that the issue has been fixed upstream/downstream. The affected version ranges are taken from the NVD CPE criteria in the provided record. No exploit instructions are included.

Official resources

Publicly disclosed in the CVE record on 2026-05-08 and updated in NVD on 2026-05-20. The authoritative patch references are the official git.kernel.org stable links included in the CVE metadata.