2464383 – (CVE-2026-31748) CVE-2026-31748 kernel: comedi: me_daq: Fix potential overrun of firmware buffer

Bug 2464383 (CVE-2026-31748) - CVE-2026-31748 kernel: comedi: me_daq: Fix potential overrun of firmware buffer

Summary: CVE-2026-31748 kernel: comedi: me_daq: Fix potential overrun of firmware buffer

Keywords:
Status:	NEW
Alias:	CVE-2026-31748
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-05-01 15:03 UTC by OSIDB Bzimport
Modified:	2026-05-01 22:01 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-05-01 15:03:38 UTC

In the Linux kernel, the following vulnerability has been resolved:

comedi: me_daq: Fix potential overrun of firmware buffer

`me2600_xilinx_download()` loads the firmware that was requested by
`request_firmware()`.  It is possible for it to overrun the source
buffer because it blindly trusts the file format.  It reads a data
stream length from the first 4 bytes into variable `file_length` and
reads the data stream contents of length `file_length` from offset 16
onwards.  Although it checks that the supplied firmware is at least 16
bytes long, it does not check that it is long enough to contain the data
stream.

Add a test to ensure that the supplied firmware is long enough to
contain the header and the data stream.  On failure, log an error and
return `-EINVAL`.

Comment 1 Keith Grant 2026-05-01 21:59:00 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026050141-CVE-2026-31748-ab3e@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.