CVE-2026-46332 Overview
CVE-2026-46332 is a buffer overflow vulnerability in the Linux kernel's greybus subsystem, specifically in the gb-beagleplay driver used for BeaglePlay board communication. The flaw exists in the cc1352_bootloader_rx() function, which appends each serdev chunk into a fixed-size rx_buffer before parsing bootloader packets. Because the helper retains leftover bytes between callbacks and may receive multiple packets in a single invocation, the count value is not bounded by a single packet length. An incoming chunk larger than the remaining buffer space causes a memcpy() to overflow rx_buffer. The Linux kernel maintainers resolved the issue by validating the chunk size against remaining buffer capacity before the copy.
Critical Impact
An adversary controlling the serdev data stream can overflow the kernel rx_buffer, corrupting adjacent kernel memory and risking denial of service or kernel memory corruption.
Affected Products
- Linux kernel greybus subsystem (drivers/staging/greybus/gb-beagleplay)
- Systems using the cc1352_bootloader_rx() serdev receive path
- BeaglePlay boards relying on the CC1352 co-processor bootloader interface
Discovery Timeline
- 2026-06-09 - CVE-2026-46332 published to NVD
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-46332
Vulnerability Analysis
The vulnerability resides in cc1352_bootloader_rx(), the serdev receive callback for the BeaglePlay greybus bootloader interface. The function accumulates incoming serial data into a fixed-size rx_buffer before parsing bootloader protocol packets. The helper preserves leftover bytes across callback invocations and can receive multiple packets in one callback. As a result, the count argument provided by the serdev framework is not limited to a single bootloader packet length.
When the function performs memcpy() into rx_buffer, it does not verify that the incoming chunk fits in the remaining buffer space. An attacker who can influence serdev data delivered to the driver can supply a chunk that exceeds the available capacity, causing kernel heap or static buffer corruption. This class of flaw maps to a classic out-of-bounds write [CWE-787] in kernel-mode code.
Root Cause
The root cause is missing bounds validation between the serdev-provided count and the remaining free space in rx_buffer. The driver assumed packet-sized inputs but the serdev contract delivers arbitrarily sized chunks. The upstream fix adds a length check and drops the staged data, consuming the bytes instead of copying them, when the chunk would exceed remaining buffer space.
Attack Vector
Exploitation requires the ability to supply attacker-controlled data over the serdev channel feeding the cc1352_bootloader_rx() path. This is a local or physical adjacency attack, typically through a connected CC1352 co-processor or a tampered serial peripheral. A successful overflow corrupts kernel memory adjacent to rx_buffer, which can lead to kernel panic, denial of service, or potential privilege escalation depending on memory layout.
No public proof-of-concept exploit is available. The vulnerability mechanism is described in the upstream kernel commits referenced below. See the Linux kernel stable commit for the corrective patch.
Detection Methods for CVE-2026-46332
Indicators of Compromise
- Unexpected kernel oops or panic messages referencing cc1352_bootloader_rx or greybus in dmesg and /var/log/kern.log.
- Memory corruption signatures from KASAN reports tagged with slab-out-of-bounds or global-out-of-bounds in the gb-beagleplay driver.
- Unexplained resets or reboots on BeaglePlay-class hardware following bootloader interaction with the CC1352 co-processor.
Detection Strategies
- Enable Kernel Address Sanitizer (KASAN) on test kernels running the gb-beagleplay driver to surface out-of-bounds writes during fuzzing.
- Audit kernel logs for repeated entries originating from the greybus subsystem on affected hardware.
- Inspect the kernel version and applied patch set with uname -r and distribution patch metadata to confirm whether the fix commits are present.
Monitoring Recommendations
- Forward kmsg and journalctl -k output to a central logging pipeline and alert on stack traces containing cc1352_bootloader_rx.
- Monitor for unexpected serdev traffic volume to BeaglePlay devices, which may indicate attempts to flood the receive buffer.
- Track kernel package versions across embedded fleets to confirm patch deployment status.
How to Mitigate CVE-2026-46332
Immediate Actions Required
- Apply the upstream Linux kernel patches that bound the bootloader receive buffer in cc1352_bootloader_rx().
- Limit physical and logical access to BeaglePlay serial and CC1352 co-processor interfaces on production hardware.
- Inventory all systems running the greybus gb-beagleplay driver and prioritize patching on devices exposed to untrusted peripherals.
Patch Information
The fix has been merged into the Linux kernel stable tree across multiple branches. Reference commits include 0339a746ff7c, 1214bf28965c, 663c2728a6d0, and fb91d4e49fcb. The patch validates the incoming chunk length against remaining rx_buffer capacity and drops staged data instead of overflowing.
Workarounds
- Unload the gb-beagleplay kernel module on systems that do not require BeaglePlay greybus functionality using modprobe -r gb-beagleplay.
- Blacklist the module in /etc/modprobe.d/ to prevent automatic load until the kernel is patched.
- Restrict access to the serdev device nodes feeding the driver through filesystem permissions and udev rules.
# Configuration example
# Verify whether the gb-beagleplay module is loaded
lsmod | grep gb_beagleplay
# Temporarily unload the vulnerable driver
sudo modprobe -r gb_beagleplay
# Persistently blacklist until the kernel is patched
echo "blacklist gb_beagleplay" | sudo tee /etc/modprobe.d/blacklist-gb-beagleplay.conf
# Confirm running kernel version against patched stable releases
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
