In the Linux kernel, the following vulnerability has been resolved:
comedi: me4000: Fix potential overrun of firmware buffer
me4000_xilinx_download() loads the firmware that was requested by
request_firmware(). It is possible for it to overrun the source
buffer because it blindly trusts the file format. It reads a data
stream length from the first 4 bytes into variable file_length and
reads the data stream contents of length file_length from offset 16
onwards.
Add a test to ensure that the supplied firmware is long enough to
contain the header and the data stream. On failure, log an error and
return -EINVAL.
Note: The firmware loading was totally broken before commit ac584af59945
("staging: comedi: me4000: fix firmware downloading"), but that is the
most sensible target for this fix.
| Score | Percentile |
|---|---|
| 0.01% | 2.42% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 7.8 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-28wg-v83v-vrgh ↗ |
| CVE | CVE-2026-31747 ↗ |
| CWE id | Name |
|---|---|
| CWE-787 | Out-of-bounds Write |