CVE-2026-43495— net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing ApplicationAffected Version Matrix 12
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | da45d2566a1d4e260b894ff5d96be64b21c7fa79< f94450ce5053b36002995b72d1fa1db3bb08c5bf | affected |
da45d2566a1d4e260b894ff5d96be64b21c7fa79< 9855e063e063158cc5bded576382599dc3133202 | affected | ||
da45d2566a1d4e260b894ff5d96be64b21c7fa79< 2b56d7903ab804481f5233a259d5f341e9fd513c | affected | ||
da45d2566a1d4e260b894ff5d96be64b21c7fa79< dd4f4c93c1488d7100b9964f2da4c8b3c29652f1 | affected | ||
da45d2566a1d4e260b894ff5d96be64b21c7fa79< 0e7c074cfcd9bd93765505f9eb8b42f03ed2a744 | affected | ||
5.19 | affected | ||
< 5.19 | unaffected | ||
6.6.140≤ 6.6.* | unaffected | ||
| … +4 more rows | |||
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-43495
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler t7xx_port_enum_msg_handler() uses the modem-supplied port_count field as a loop bound over port_msg->data[] without checking that the message buffer contains sufficient data. A modem sending port_count=65535 in a 12-byte buffer triggers a slab-out-of-bounds read of up to 262140 bytes. Add a sizeof(*port_msg) check before accessing the port message header fields to guard against undersized messages. Add a struct_size() check after extracting port_count and before the loop. In t7xx_parse_host_rt_data(), guard the rt_feature header read with a remaining-buffer check before accessing data_len, validate feat_data_len against the actual remaining buffer to prevent OOB reads and signed integer overflow on offset. Pass msg_len from both call sites: skb->len at the DPMAIF path after skb_pull(), and the validated feat_data_len at the handshake path.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于t7xx_port_enum_msg_handler函数中未验证port_count字段,可能导致越界读取。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-43495
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-43495
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-43495 (5)
Same Patch Batch · Linux · 2026-05-21 · 8 CVEs total
| CVE-2026-43502 | net/rds: handle zerocopy send cleanup before the message is queued | |
| CVE-2026-43501 | ipv6: rpl: reserve mac_len headroom when recompressed SRH grows | |
| CVE-2026-43498 | accel/ivpu: Disallow re-exporting imported GEM objects | |
| CVE-2026-43499 | rtmutex: Use waiter::task instead of current in remove_waiter() | |
| CVE-2026-43497 | fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free | |
| CVE-2026-43496 | net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked | |
| CVE-2026-43494 | net/rds: reset op_nents when zerocopy page pin fails |
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-45836
Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndti - CVE-2026-45835
Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_conne - CVE-2026-45834
Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_cha - CVE-2026-46300
net: skbuff: preserve shared-frag marker during coalescing - CVE-2026-43503
net: skbuff: propagate shared-frag marker through frag-trans
Same vendor: Linux
- CVE-2026-45836
Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndti - CVE-2026-45835
Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_conne - CVE-2026-45834
Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_cha - CVE-2026-46300
net: skbuff: preserve shared-frag marker during coalescing - CVE-2026-43503
net: skbuff: propagate shared-frag marker through frag-trans
V. Comments for CVE-2026-43495
No comments yet