Cyber Resilience

CVE-2026-23092

High

Published: 04 February 2026

Published
04 February 2026
Modified
17 March 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 7.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23092 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 7.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-23092 is an out-of-bounds write vulnerability in the Linux kernel's Industrial I/O (IIO) DAC driver for the ad3552r-hs device, specifically in the ad3552r_hs_write_data_source function. The issue arises because the code uses the 'count' parameter as the index for null-terminating a fixed 64-byte stack buffer after calling simple_write_to_buffer(), rather than the actual number of bytes copied (the function's return value). If 'count' exceeds the buffer size, this results in a stack-based out-of-bounds write. The vulnerability was discovered via static analysis, validated using a QEMU-based demo module mirroring the original code, and is similar to a prior fix in commit da9374819eb3 for the IIO backend.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N) by opening the affected device node and writing more than 64 bytes—such as 128 bytes of data—to trigger the out-of-bounds write. Reproduction steps involve writing 128 bytes of 'A' to the device node, which overflows the stack buffer and is detectable via KASAN. The CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects high impacts on confidentiality, integrity, and availability in the local scope.

Mitigation involves applying the upstream kernel patches from the provided commit references: https://git.kernel.org/stable/c/978d28136c53df38f8f0b747191930e2f95e9084 and https://git.kernel.org/stable/c/db16e7c52032c79156930a337ee17232931794ba. These commits add a check to ensure 'count' does not exceed the buffer size and use the return value from simple_write_to_buffer() as the index for null termination, preventing the out-of-bounds access. Security practitioners should update to a kernel version incorporating these fixes.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: iio: dac: ad3552r-hs: fix out-of-bound write in ad3552r_hs_write_data_source When simple_write_to_buffer() succeeds, it returns the number of bytes actually copied to the buffer. The code incorrectly uses 'count' as the index…

more

for null termination instead of the actual bytes copied. If count exceeds the buffer size, this leads to out-of-bounds write. Add a check for the count and use the return value as the index. The bug was validated using a demo module that mirrors the original code and was tested under QEMU. Pattern of the bug: - A fixed 64-byte stack buffer is filled using count. - If count > 64, the code still does buf[count] = '\0', causing an - out-of-bounds write on the stack. Steps for reproduce: - Opens the device node. - Writes 128 bytes of A to it. - This overflows the 64-byte stack buffer and KASAN reports the OOB. Found via static analysis. This is similar to the commit da9374819eb3 ("iio: backend: fix out-of-bound write")

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel stack buffer overflow (OOB write) directly enables exploitation for privilege escalation from low-privileged user context.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71137Same product: Linux Linux Kernel
CVE-2026-31772Same product: Linux Linux Kernel
CVE-2026-23378Same product: Linux Linux Kernel
CVE-2026-31494Same product: Linux Linux Kernel
CVE-2025-21735Same product: Linux Linux Kernel
CVE-2025-21650Same product: Linux Linux Kernel
CVE-2024-52319Same product: Linux Linux Kernel
CVE-2024-58003Same product: Linux Linux Kernel
CVE-2026-23343Same product: Linux Linux Kernel
CVE-2026-43500Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.19 · 6.16 — 6.18.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly mitigates this CVE by applying kernel patches that add bounds checking and correct null-termination indexing in ad3552r_hs_write_data_source.

prevent

Information input validation enforces bounds checks on device node writes, preventing out-of-bounds stack writes when count exceeds the 64-byte buffer size.

prevent

Memory protection techniques like stack canaries and bounds checking directly counter stack-based out-of-bounds writes in kernel drivers.

References