PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43476 Linux CVE debrief

CVE-2026-43476 is a high-severity Linux kernel issue in the IIO chemical SPS30 I2C driver. The supplied record says sps30_i2c_read_meas() used sizeof(num), which resolves to the size of size_t rather than the intended __be32 element size, and the fix changes this to sizeof(*meas). In practice, that is a buffer-size mismatch in kernel-space measurement handling and can lead to incorrect memory access or corruption risk. The CVE record was published on 2026-05-13 and last modified on 2026-05-20; the record also points to stable kernel commit references for remediation.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-13
Original CVE updated
2026-05-20
Advisory published
2026-05-13
Advisory updated
2026-05-20

Who should care

Linux kernel maintainers, distro security teams, and embedded or IoT operators using kernels that include the SPS30 IIO chemical sensor driver. It is especially relevant for environments where kernel updates are deferred or vendor backports are required.

Technical summary

The vulnerability is a type/size mismatch in sps30_i2c_read_meas(). The description states that sizeof(num) evaluates to sizeof(size_t) on 64-bit systems, which is 8 bytes, instead of the intended 4-byte __be32 element size. The patch switches to sizeof(*meas) so the allocation, copy, or read path matches the actual buffer element type. That kind of mismatch can produce out-of-bounds access or other kernel memory-safety faults. The source corpus does not provide a full exploit narrative, so the precise failure mode should be treated as the fix rationale plus the CVSS 7.8 impact assessment, not as a demonstrated attack chain.

Defensive priority

High. The CVSS 7.8 score, local attack vector, and kernel-space memory-safety context justify prompt patching, especially on systems that expose this driver in embedded, industrial, or IoT deployments.

Recommended defensive actions

  • Update to a Linux kernel release that includes the fix referenced by the stable kernel commit links in the CVE record.
  • If you maintain a downstream kernel, verify that the SPS30 IIO chemical driver backport uses sizeof(*meas) in sps30_i2c_read_meas().
  • Prioritize vendor-supplied backports for embedded and IoT platforms that may not receive upstream kernels quickly.
  • After patching, reboot affected systems and validate sensor read paths and kernel logs during staging or maintenance windows.

Evidence notes

All factual claims are limited to the supplied CVE metadata and reference list. The core evidence is the CVE description stating the buffer-size mismatch in Linux kernel iio: chemical: sps30_i2c: sps30_i2c_read_meas(), plus the NVD record showing CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H and the reference links to kernel stable commits. The specific exploitability mechanics are not described in the corpus, so impact language is intentionally conservative and tied to the CVSS score and the nature of the fix. Vendor attribution in the supplied data is weak, so this is treated as a Linux kernel issue rather than a specific proprietary vendor product.

Official resources

Published 2026-05-13T16:16:50.680Z and last modified 2026-05-20T17:16:23.083Z, per the supplied CVE and NVD metadata. No KEV listing was provided in the source corpus.