PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43495 Linux CVE debrief

CVE-2026-43495 is a Linux kernel memory-safety issue in the WWAN t7xx path. NVD’s description says the driver trusted modem-supplied length and count fields without checking that the backing buffer was large enough, which could lead to slab-out-of-bounds reads during port enumeration and host runtime-data parsing. The published fix adds size validation before header access and before iterating over port data, and it tightens message-length handling at both call sites.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-21
Original CVE updated
2026-05-21
Advisory published
2026-05-21
Advisory updated
2026-05-21

Who should care

Kernel maintainers, Linux distribution security teams, OEMs shipping kernels with the t7xx WWAN driver, and operators of systems that use modem/WWAN hardware based on this driver path.

Technical summary

The reported flaw is in parsing logic for t7xx modem messages. In t7xx_port_enum_msg_handler(), a modem-controlled port_count value was used as a loop bound over port_msg->data[] without first confirming that the message buffer actually contained enough data. NVD states that a crafted 12-byte buffer with port_count=65535 could trigger a slab-out-of-bounds read of up to 262140 bytes. The fix adds a sizeof(*port_msg) check before reading header fields and a struct_size() check after extracting port_count and before entering the loop. A related hardening change in t7xx_parse_host_rt_data() validates the rt_feature header and feat_data_len against the remaining buffer to prevent out-of-bounds reads and signed integer overflow on offset. The two call sites now pass validated lengths (skb->len after skb_pull() in the DPMAIF path, and the validated feat_data_len in the handshake path).

Defensive priority

High for environments that ship or rely on the affected Linux kernel WWAN t7xx driver, especially if modem inputs are reachable from untrusted or less-trusted firmware/hardware paths.

Recommended defensive actions

  • Apply kernel updates or backports that include the referenced t7xx fixes from the official kernel stable commits.
  • Identify systems using the Linux kernel t7xx WWAN driver and prioritize them for patch verification.
  • If immediate patching is not possible, reduce exposure to the affected WWAN/modem path where operationally feasible and monitor for kernel warnings or crashes in related subsystems.
  • Validate that your kernel build and distribution backport set include the message-length and bounds-checking changes described in the fix.
  • Track downstream vendor advisories for this CVE because the upstream fix may be backported under different version numbers.

Evidence notes

This debrief is based on the NVD CVE record and the CVE description supplied in the source corpus. The vulnerability description explicitly states missing length validation in t7xx_port_enum_msg_handler() and t7xx_parse_host_rt_data(), the risk of slab-out-of-bounds reads, and the nature of the fixes. No exploit steps, affected-version claims, or severity score were provided in the corpus.

Official resources

Publicly disclosed in the NVD record with publishedAt 2026-05-21T13:16:18.847Z; the source corpus links to upstream Linux kernel stable references associated with the fix.