CVE-2026-43005 Overview
CVE-2026-43005 is a Linux kernel vulnerability in the tps53679 hardware monitoring (hwmon) driver. The flaw affects how the driver handles return values from i2c_smbus_read_block_data(). When the SMBus read returns zero bytes, the function tps53679_identify_chip() accesses buf[ret - 1], which translates to buf[-1]. This results in an out-of-bounds read of one byte before the stack-allocated buffer.
The issue was resolved upstream by changing the error check from ret < 0 to ret <= 0, treating a zero-length block read as an -EIO error condition. The patch also corrects a typo in an adjacent comment.
Critical Impact
A zero-length SMBus block read causes the tps53679 hwmon driver to read one byte beyond a stack buffer, potentially leaking adjacent kernel stack memory.
Affected Products
- Linux kernel versions containing the tps53679 hwmon driver prior to the upstream fix
- Stable kernel branches receiving backports referenced in the kernel.org commits
- Systems using TI TPS53679 / compatible voltage regulator devices monitored via SMBus
Discovery Timeline
- 2026-05-01 - CVE-2026-43005 published to NVD
- 2026-05-01 - Last updated in NVD database
Technical Details for CVE-2026-43005
Vulnerability Analysis
The vulnerability resides in the tps53679_identify_chip() function within the Linux kernel hwmon subsystem. This function calls i2c_smbus_read_block_data() to retrieve identification data from a TPS53679 power management chip over SMBus. The function then validates the return value with a check of ret < 0 to detect failures.
However, i2c_smbus_read_block_data() can legitimately return 0 when a peripheral responds with a zero-length block. The existing check fails to treat this as an error. The driver subsequently indexes buf[ret - 1], computing buf[-1] and reading one byte preceding the buffer on the kernel stack.
This represents an out-of-bounds read primitive within kernel context. While the read is bounded to a single byte, it falls into the [CWE-125] Out-of-Bounds Read category and may expose adjacent stack contents.
Root Cause
The root cause is incorrect input validation. The tps53679 driver assumes any non-negative return from i2c_smbus_read_block_data() indicates a usable buffer with at least one byte. The SMBus API permits a return value of 0, which the driver does not handle. Computing buf[ret - 1] with ret == 0 produces a negative index.
Attack Vector
Triggering this condition requires a device on the I²C/SMBus that returns a zero-length block read in response to the driver's identification probe. In typical deployments this requires either physical access to the bus, a malicious or malfunctioning peripheral, or a compromised component capable of crafting SMBus responses. Remote exploitation is not applicable to this driver path.
The vulnerability is described in prose only; no public proof-of-concept exploit is referenced. Technical details are available through the upstream commits at 0e211f6aaa6a, 6999b4769e2a, and 79b7e588399b on kernel.org.
Detection Methods for CVE-2026-43005
Indicators of Compromise
- Unexpected kernel log entries from the tps53679 hwmon driver during chip identification
- SMBus transaction errors or -EIO returns logged near hwmon driver initialization
- Unusual system behavior on hardware platforms equipped with TPS53679 voltage regulators
Detection Strategies
- Inventory running kernels and identify systems where CONFIG_SENSORS_TPS53679 is enabled and the module is loaded
- Compare installed kernel package versions against distribution advisories that reference the upstream commits
- Use kernel build metadata to confirm whether the fix commits have been backported to running kernels
Monitoring Recommendations
- Monitor dmesg and journalctl -k output for hwmon driver warnings on systems with PMBus voltage regulators
- Track kernel package update status across the fleet via configuration management or vulnerability scanners
- Alert on systems still running pre-patch stable kernel branches identified in the kernel.org references
How to Mitigate CVE-2026-43005
Immediate Actions Required
- Apply the latest stable kernel update from your Linux distribution that incorporates the upstream fix
- For self-built kernels, cherry-pick commit 79b7e588399b (or the corresponding stable backports 0e211f6aaa6a and 6999b4769e2a)
- Audit hardware platforms for use of the tps53679 driver and prioritize patching those systems
Patch Information
The fix changes the validation in tps53679_identify_chip() from if (ret < 0) to if (ret <= 0), returning -EIO when the SMBus read produces zero bytes. The patch is available in three stable kernel commits referenced by the NVD entry. Distribution kernels that track the stable trees will receive the fix as part of routine point releases.
Workarounds
- Unload the tps53679 module on systems where TPS53679 monitoring is not required: modprobe -r tps53679
- Blacklist the driver via /etc/modprobe.d/ configuration on platforms that do not need PMBus voltage regulator telemetry
- Restrict physical and logical access to systems where untrusted SMBus peripherals could be attached
# Blacklist the tps53679 hwmon driver until the kernel is patched
echo "blacklist tps53679" | sudo tee /etc/modprobe.d/blacklist-tps53679.conf
sudo modprobe -r tps53679 2>/dev/null || true
# Verify the module is no longer loaded
lsmod | grep tps53679
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
