{"id":"CVE-2026-43495","summary":"net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler\n\nt7xx_port_enum_msg_handler() uses the modem-supplied port_count field as\na loop bound over port_msg-\u003edata[] without checking that the message buffer\ncontains sufficient data. A modem sending port_count=65535 in a 12-byte\nbuffer triggers a slab-out-of-bounds read of up to 262140 bytes.\n\nAdd a sizeof(*port_msg) check before accessing the port message header\nfields to guard against undersized messages.\n\nAdd a struct_size() check after extracting port_count and before the loop.\n\nIn t7xx_parse_host_rt_data(), guard the rt_feature header read with a\nremaining-buffer check before accessing data_len, validate feat_data_len\nagainst the actual remaining buffer to prevent OOB reads and signed\ninteger overflow on offset.\n\nPass msg_len from both call sites: skb-\u003elen at the DPMAIF path after\nskb_pull(), and the validated feat_data_len at the handshake path.","modified":"2026-06-01T03:55:39.112201660Z","published":"2026-05-21T12:12:45.988Z","related":["openSUSE-SU-2026:10859-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43495.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0e7c074cfcd9bd93765505f9eb8b42f03ed2a744"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2b56d7903ab804481f5233a259d5f341e9fd513c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9855e063e063158cc5bded576382599dc3133202"},{"type":"WEB","url":"https://git.kernel.org/stable/c/dd4f4c93c1488d7100b9964f2da4c8b3c29652f1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f94450ce5053b36002995b72d1fa1db3bb08c5bf"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43495.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43495"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"da45d2566a1d4e260b894ff5d96be64b21c7fa79"},{"fixed":"f94450ce5053b36002995b72d1fa1db3bb08c5bf"},{"fixed":"9855e063e063158cc5bded576382599dc3133202"},{"fixed":"2b56d7903ab804481f5233a259d5f341e9fd513c"},{"fixed":"dd4f4c93c1488d7100b9964f2da4c8b3c29652f1"},{"fixed":"0e7c074cfcd9bd93765505f9eb8b42f03ed2a744"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43495.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.19.0"},{"fixed":"6.6.140"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.88"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.30"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"7.0.7"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43495.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}