CVE-2026-46326 Overview
CVE-2026-46326 affects the Linux kernel's Industrial I/O (IIO) pressure sensor driver mprls0025pa. The driver failed to zero out the spi_transfer struct before use, leaving stack memory uninitialized when issuing Serial Peripheral Interface (SPI) transactions. Maintainers resolved the issue by explicitly clearing the structure prior to populating its fields. The fix landed across multiple stable kernel trees through commits 1e0ac56c, 664ffdf3, 72158f9a, and 9080c7ac.
Critical Impact
Uninitialized stack data in the spi_transfer struct could lead to undefined SPI controller behavior and potential information exposure through residual kernel stack contents [CWE-908].
Affected Products
- Linux kernel builds including the iio: pressure: mprls0025pa driver
- Stable kernel branches prior to the referenced fix commits
- Systems using the Honeywell MPRLS0025PA pressure sensor over SPI
Discovery Timeline
- 2026-06-09 - CVE-2026-46326 published to NVD
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-46326
Vulnerability Analysis
The mprls0025pa driver provides kernel support for the Honeywell MicroPressure sensor family over SPI. The driver allocated a spi_transfer struct on the stack without initializing its fields to zero. The SPI core inspects struct members such as cs_change, delay, bits_per_word, and speed_hz when scheduling a transfer. Leaving these fields populated with arbitrary stack residue produces nondeterministic transfer parameters.
This class of defect is tracked under Uninitialized Memory Use [CWE-908]. In kernel SPI drivers, it can cause functional faults during sensor reads and may also expose stack contents to the SPI controller through unintended field values. The fix forces a clean zeroed state before populating the transfer descriptor.
Root Cause
The root cause is missing initialization of an automatic (stack-allocated) spi_transfer structure. C does not zero stack variables by default, so previously used stack frames left residual values in the struct members. The patch resolves this by zeroing the struct via memset or aggregate initialization before passing it to spi_sync or related APIs.
Attack Vector
The defect is local to kernel execution paths for the mprls0025pa driver. Triggering the code path requires the affected SPI pressure sensor to be probed and read on the host. There is no documented remote exploitation path. The Exploit Prediction Scoring System (EPSS) probability is 0.018% (percentile 4.793) as of 2026-06-11, consistent with a low likelihood of weaponization.
No verified exploit code is available. The vulnerability is described in prose only; readers should consult the referenced kernel commits for the precise diff.
Detection Methods for CVE-2026-46326
Indicators of Compromise
- No public indicators of compromise are associated with this kernel defect.
- Anomalous or intermittent SPI transfer failures in dmesg referencing the mprls0025pa driver may indicate the unfixed code path.
- Unexpected pressure sensor readings or controller resets on hosts using Honeywell MPRLS0025PA hardware.
Detection Strategies
- Inventory running kernels and compare against the fix commits 1e0ac56c, 664ffdf3, 72158f9a, and 9080c7ac to confirm patch presence.
- Audit kernel build configurations for CONFIG_MPRLS0025PA and identify hosts where the driver is loaded.
- Use static analyzers such as Smatch or Coccinelle scripts to flag stack-allocated spi_transfer structs without prior zeroing in custom kernel trees.
Monitoring Recommendations
- Collect dmesg and kernel ring buffer events for the mprls0025pa driver and forward them to a centralized log store.
- Monitor SPI subsystem error counters and unexpected reprobe events on affected hardware platforms.
- Track kernel package versions across the fleet to ensure stable updates containing the referenced commits are deployed.
How to Mitigate CVE-2026-46326
Immediate Actions Required
- Apply the upstream stable kernel update containing commit 1e0ac56c, 664ffdf3, 72158f9a, or 9080c7ac for your kernel branch.
- Rebuild and redeploy custom kernels that include the mprls0025pa driver after backporting the fix.
- Reboot affected hosts to load the patched kernel image.
Patch Information
The fix zeroes the spi_transfer struct before use in the mprls0025pa driver. Verified patches are available at Kernel Patch 1e0ac56, Kernel Patch 664ffdf3, Kernel Patch 72158f9a, and Kernel Patch 9080c7ac.
Workarounds
- Unload the mprls0025pa module on systems that do not require the Honeywell MPRLS0025PA sensor.
- Blacklist the driver in /etc/modprobe.d/ until the patched kernel is installed.
- Restrict physical and administrative access to systems integrating the affected SPI sensor hardware.
# Configuration example: blacklist the mprls0025pa driver until patched kernel is deployed
echo "blacklist mprls0025pa" | sudo tee /etc/modprobe.d/blacklist-mprls0025pa.conf
sudo rmmod mprls0025pa 2>/dev/null || true
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
