Category

Linux Kernel

Security vulnerabilities and automated fixes for linux kernel issues

6 posts found

critical5 min

How buffer overflow via strcpy() happens in C Kconfig parsing and how to fix it

A critical buffer overflow vulnerability was discovered in the Linux kernel's Kconfig build system where `strcpy()` copied user-controlled symbol values into a fixed-size buffer without bounds checking. This flaw in `scripts/kconfig/symbol.c` could allow attackers to overwrite adjacent memory when processing malicious Kconfig files. The fix replaces the unsafe `strcpy()` with `memcpy()` using explicit length calculations.

#security#buffer-overflow#c+4 more
O
orbisai0security
Jul 11, 2026
medium9 min

How buffer overflow happens in C kernel driver (qcom_usbnet_main.c) and how to fix it

A series of unsafe `sprintf()` calls in the Qualcomm USB network kernel driver (`qcom_usbnet_main.c`) created buffer overflow conditions that, when combined with other memory corruption primitives in the same file, could allow an attacker with physical USB access to escalate privileges to root. The fix replaces unbounded `sprintf()` and `snprintf()` misuse with properly bounded `snprintf()` and `scnprintf()` calls that respect actual buffer sizes. This is a textbook example of how a seemingly mi

#buffer-overflow#linux-kernel#C+4 more
O
orbisai0security
Jun 22, 2026
critical9 min

How heap buffer overflow happens in C kconfig symbol.c and how to fix it

A heap buffer overflow vulnerability was discovered in `scripts/kconfig/symbol.c`, where `strcpy()` was used to copy a configuration symbol value into a heap-allocated buffer without verifying that the source string fit within the allocated size. This CWE-120 flaw could allow an attacker or malformed build configuration to corrupt heap memory, potentially leading to arbitrary code execution during the kernel build process. The fix replaces `strcpy()` with a bounds-aware `memcpy()` and replaces u

#buffer-overflow#c#cwe-120+4 more
O
orbisai0security
Jun 9, 2026
high7 min

GPIO Bounds Checking: Fixing an Out-of-Bounds Access in py32ioexp Driver

A high-severity out-of-bounds access vulnerability was discovered and patched in the `py32ioexp` Linux GPIO expander driver. The `py32io_gpio_direction_input()` function failed to validate a user-supplied pin offset against the chip's declared GPIO count, opening the door to memory corruption via the GPIO character device interface. A two-line bounds check now closes the vulnerability cleanly and efficiently.

#linux-kernel#gpio#out-of-bounds+4 more
O
orbisai0security
May 28, 2026
critical8 min

Critical Kernel Buffer Overflow Fixed in BPF x86 Native Lab Module

A critical buffer overflow vulnerability (CWE-120) was discovered and patched in `module/x86/bpf_x86_native_lab.c`, where a bounds check on BPF blob length was only performed inside an `emit` conditional branch — leaving a window for kernel memory corruption when `emit` was false. The fix relocates the length validation before any branching logic, ensuring no code path can proceed with an oversized blob. This type of kernel-level vulnerability is particularly dangerous because successful exploit

#kernel-security#buffer-overflow#bpf+4 more
O
orbisai0security
May 28, 2026
critical9 min

Critical Use-After-Free: The Dangerous krealloc() Pattern in Linux Kernel Code

A critical memory safety vulnerability was discovered and fixed in the Linux kernel's SSDFS filesystem driver, where directly assigning the return value of krealloc() to the original pointer could cause use-after-free conditions or NULL pointer dereferences when memory allocation fails. This well-known dangerous pattern, explicitly warned against in Linux kernel coding guidelines, could allow attackers to trigger memory corruption under low-memory conditions. The fix implements the safe temporar

#linux-kernel#memory-safety#use-after-free+4 more
O
orbisai0security
May 25, 2026