CVE-2026-46286 Overview
CVE-2026-46286 is a Linux kernel vulnerability in the Qualcomm Light Pulse Generator (LPG) LED driver (leds/qcom-lpg). The driver uses FIELD_GET() to extract a value from a 3-bit register field when selecting high-resolution values. That field can represent up to 8 distinct values, but the indexed array contains only 5 entries. Without bounds checking, the driver can read out-of-bounds data and configure chip values from invalid memory.
Critical Impact
An out-of-bounds read in the qcom-lpg LED driver can cause the kernel to use uninitialized or attacker-influenced data when programming LED hardware, leading to undefined behavior or information exposure.
Affected Products
- Linux kernel versions containing the leds-qcom-lpg driver prior to the fix
- Devices using Qualcomm PMIC LPG hardware for LED control
- Distributions shipping the affected kernel before backported patches
Discovery Timeline
- 2026-06-08 - CVE-2026-46286 published to NVD
- 2026-06-08 - Last updated in NVD database
Technical Details for CVE-2026-46286
Vulnerability Analysis
The qcom-lpg driver controls LED brightness using Pulse Width Modulation (PWM) on Qualcomm Power Management Integrated Circuits (PMICs). When selecting the high-resolution PWM value, the driver reads a 3-bit register field using the FIELD_GET() macro. A 3-bit field yields index values from 0 through 7, but the lookup array only defines 5 entries.
If the hardware returns a value of 5, 6, or 7, the driver indexes past the end of the array. The kernel then reads adjacent memory and treats those bytes as legitimate resolution settings. The patched code adds an explicit bounds check before indexing the array, falling back to a safe default when the register value exceeds the array length.
This is an out-of-bounds read [CWE-125] in kernel-mode code. While the maintainer notes the hardware is likely to return sane values, defensive validation is required because trusting hardware-supplied register contents is unsafe.
Root Cause
The root cause is a mismatch between the width of the register bitfield extracted by FIELD_GET() and the size of the resolution lookup array. The code assumes the hardware-supplied index always fits within the array bounds, but the encoding allows values that do not.
Attack Vector
The vector is local and requires a condition in which the LPG register returns an unexpected value, either through hardware fault, firmware misconfiguration, or a compromised lower-level component capable of influencing PMIC state. The result is reading and acting on uninitialized memory adjacent to the resolution array.
No public proof-of-concept exploit is available. Refer to the upstream commits for the precise code change.
Detection Methods for CVE-2026-46286
Indicators of Compromise
- Unexpected LED brightness, frequency, or PWM resolution behavior on devices using Qualcomm LPG hardware
- Kernel warnings or KASAN reports referencing lpg_lut_store, lpg_apply_freq, or related functions in the qcom-lpg driver
- Anomalous register reads in PMIC SPMI traces showing high-resolution field values above the expected range
Detection Strategies
- Enable Kernel Address Sanitizer (KASAN) in test builds to surface out-of-bounds reads in the qcom-lpg code path
- Audit installed kernel versions across the fleet and compare against the patched commits listed in the Linux kernel stable tree
- Review build configurations for CONFIG_LEDS_QCOM_LPG to identify systems that compile in the vulnerable driver
Monitoring Recommendations
- Collect kernel logs centrally and alert on qcom-lpg driver warnings or hardware initialization failures
- Track kernel package versions through configuration management to confirm patch deployment across affected devices
- Monitor vendor advisories for downstream Android and embedded distributions that integrate Qualcomm PMIC drivers
How to Mitigate CVE-2026-46286
Immediate Actions Required
- Update to a Linux kernel release that includes the upstream fix referenced in the kernel stable commits
- Inventory devices using Qualcomm PMIC LPG LED hardware and prioritize them for patching
- Apply vendor-supplied kernel updates for Android, ChromeOS, and embedded Linux platforms that ship the qcom-lpg driver
Patch Information
The fix adds a bounds check before indexing the high-resolution array in the leds-qcom-lpg driver. The patched commits are available in the Linux kernel stable tree, including commit 28a2e047d037, commit 36ce3094dc50, commit 438e357b3cc6, commit d45963a93c14, and commit f67a24e75d32.
Workarounds
- Disable the leds-qcom-lpg kernel module on systems where LED control via Qualcomm LPG is not required
- Rebuild custom kernels with CONFIG_LEDS_QCOM_LPG=n when patching upstream is not immediately feasible
- Restrict access to interfaces that allow userspace to trigger LPG reconfiguration on multi-tenant or untrusted systems
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
