CVE-2026-23092
Published: 04 February 2026
Summary
CVE-2026-23092 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 7.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-23092 is an out-of-bounds write vulnerability in the Linux kernel's Industrial I/O (IIO) DAC driver for the ad3552r-hs device, specifically in the ad3552r_hs_write_data_source function. The issue arises because the code uses the 'count' parameter as the index for null-terminating a fixed 64-byte stack buffer after calling simple_write_to_buffer(), rather than the actual number of bytes copied (the function's return value). If 'count' exceeds the buffer size, this results in a stack-based out-of-bounds write. The vulnerability was discovered via static analysis, validated using a QEMU-based demo module mirroring the original code, and is similar to a prior fix in commit da9374819eb3 for the IIO backend.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N) by opening the affected device node and writing more than 64 bytes—such as 128 bytes of data—to trigger the out-of-bounds write. Reproduction steps involve writing 128 bytes of 'A' to the device node, which overflows the stack buffer and is detectable via KASAN. The CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects high impacts on confidentiality, integrity, and availability in the local scope.
Mitigation involves applying the upstream kernel patches from the provided commit references: https://git.kernel.org/stable/c/978d28136c53df38f8f0b747191930e2f95e9084 and https://git.kernel.org/stable/c/db16e7c52032c79156930a337ee17232931794ba. These commits add a check to ensure 'count' does not exceed the buffer size and use the return value from simple_write_to_buffer() as the index for null termination, preventing the out-of-bounds access. Security practitioners should update to a kernel version incorporating these fixes.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5450
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: iio: dac: ad3552r-hs: fix out-of-bound write in ad3552r_hs_write_data_source When simple_write_to_buffer() succeeds, it returns the number of bytes actually copied to the buffer. The code incorrectly uses 'count' as the index…
more
for null termination instead of the actual bytes copied. If count exceeds the buffer size, this leads to out-of-bounds write. Add a check for the count and use the return value as the index. The bug was validated using a demo module that mirrors the original code and was tested under QEMU. Pattern of the bug: - A fixed 64-byte stack buffer is filled using count. - If count > 64, the code still does buf[count] = '\0', causing an - out-of-bounds write on the stack. Steps for reproduce: - Opens the device node. - Writes 128 bytes of A to it. - This overflows the 64-byte stack buffer and KASAN reports the OOB. Found via static analysis. This is similar to the commit da9374819eb3 ("iio: backend: fix out-of-bound write")
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel stack buffer overflow (OOB write) directly enables exploitation for privilege escalation from low-privileged user context.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation directly mitigates this CVE by applying kernel patches that add bounds checking and correct null-termination indexing in ad3552r_hs_write_data_source.
Information input validation enforces bounds checks on device node writes, preventing out-of-bounds stack writes when count exceeds the 64-byte buffer size.
Memory protection techniques like stack canaries and bounds checking directly counter stack-based out-of-bounds writes in kernel drivers.