CVE-2026-46286: Linux Kernel Qualcomm LED Driver Array Bounds Check Vulnerability
A vulnerability exists in the Linux kernel's Qualcomm LED driver (qcom-lpg) where a register value intended to select from a predefined array is not properly validated before use. The register can hold values 0–7 (from a 3-bit field), but the array contains only 5 entries. Without bounds checking, out-of-range values cause the code to read uninitialized or incorrect memory, which then gets used to configure LED brightness timing parameters. While actual hardware typically produces valid register values, the lack of defensive checks creates a potential denial-of-service condition if invalid data is encountered.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- —
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-07-08
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: leds: qcom-lpg: Check for array overflow when selecting the high resolution When selecting the high resolution values from the array, FIELD_GET() is used to pull from a 3 bit register, yet the array being indexed has only 5 values in it. Odds are the hardware is sane, but just to be safe, properly check before just overflowing and reading random data and then setting up chip values based on that.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The qcom-lpg LED driver uses FIELD_GET() to extract a 3-bit value from a hardware register for selecting high-resolution timing values. This 3-bit field permits values 0–7, but the corresponding lookup array contains only 5 elements (valid indices 0–4). The code lacks bounds validation before array indexing, resulting in a classic out-of-bounds read. The unvalidated data is subsequently used to configure chip parameters, potentially causing incorrect LED behavior or system instability. The fix adds explicit array bounds checking to ensure only valid array indices are accessed.
Business impact
This vulnerability primarily affects systems running the affected Linux kernel versions that include Qualcomm LED driver hardware (common in mobile devices, IoT gateways, and embedded systems with PMIC-integrated LED control). The impact is localized to LED functionality; exploitation causes denial of service affecting LED operations rather than data confidentiality or system-wide compromise. For organizations managing IoT fleets or embedded Linux deployments with Qualcomm PMIC hardware, this could disrupt monitoring status lights or indicator functionality. The security boundary is the local system only, making remote exploitation infeasible.
Affected systems
Linux kernel systems with Qualcomm LP-GPIO (lpg) LED driver support, primarily found in mobile SoCs, PMIC modules, and embedded platforms using Snapdragon or MSM chipsets. This includes Android devices, IoT appliances, and embedded Linux systems with Qualcomm power management integrated circuits. The vulnerability does not affect x86/x64 Linux servers or systems without Qualcomm LED hardware. Check your kernel configuration and device tree bindings for CONFIG_LEDS_QCOM_LPG or equivalent enabled status.
Exploitability
Exploitation requires local access to the system and the ability to trigger LED hardware state changes or directly manipulate the register in question. Remote exploitation is not feasible. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, and no public exploit code has been disclosed. An attacker with local system access could potentially craft conditions to cause invalid register values, though hardware-level safeguards often prevent this in practice. The practical risk depends on whether untrusted local processes can access the sysfs LED control interfaces.
Remediation
Apply the Linux kernel patch that adds bounds checking to the high-resolution array selection logic in the qcom-lpg driver. The fix implements a conditional check to validate the extracted register value against the array size before indexing. Systems should upgrade to a patched kernel version; verify availability with your Linux distribution or chip vendor (Qualcomm/Snapdragon firmware release notes). For systems where immediate patching is infeasible, restrict local access to LED control sysfs nodes via file permissions or MAC policies.
Patch guidance
Monitor your Linux distribution's security advisories for kernel updates incorporating this fix. The patch is merged upstream in the Linux kernel; identify the first stable release containing the commit by checking the kernel.org git history and your distribution's kernel version mappings. Qualcomm device manufacturers (phone makers, IoT vendors) should ensure their kernel forks include this fix in their next security bulletin or monthly patch cycle. Test LED functionality after patching to confirm no regression in brightness or timing features.
Detection guidance
Monitor kernel logs for array access errors or memory protection faults in the qcom-lpg driver module. On systems with address sanitization or kernel debug features enabled, watch for out-of-bounds read warnings. Audit sysfs-based access to /sys/class/leds/* to identify which processes are modifying LED state; correlate with timing of any observed LED malfunction. Use dynamic kernel debugging tools (kprobes, tracepoints on lpg driver functions) to log register values at the point of array selection. Systems with SELinux or AppArmor can be configured to alert on unexpected LED sysfs access patterns.
Why prioritize this
While the CVSS score of 5.5 reflects local-only access requirements and availability impact only, this warrants priority for organizations with Qualcomm mobile or IoT deployments. The vulnerability is straightforward to patch and lacks real-world exploitation reports, making it a stable, low-risk remediation. Prioritize this over critical network-facing issues, but address it before end-of-quarter patch cycles to reduce legacy kernel exposure in your fleet.
Risk score, explained
The CVSS 3.1 score of 5.5 (MEDIUM) reflects the local attack vector (AV:L), low complexity, required low privilege level, no user interaction, and impact limited to system availability (A:H, while C and I are None). The score correctly penalizes remote exploitability being impossible and data confidentiality/integrity remaining unaffected. The score does not account for the unlikely trigger condition in production hardware, which in practice reduces real-world risk below the numeric score.
Frequently asked questions
Can this vulnerability be exploited remotely?
No. The vulnerability requires local system access and the ability to trigger specific LED driver register states. Remote exploitation is not feasible.
Does this affect all Linux systems?
No. Only systems running affected Linux kernel versions with Qualcomm LED driver hardware (qcom-lpg) enabled are at risk. Typical x86/x64 servers and systems without Qualcomm PMIC hardware are unaffected.
What is the real-world impact if the array is overread?
The driver reads uninitialized or incorrect memory and uses it to configure LED timing parameters. This causes LED malfunction (incorrect brightness/timing) or potential kernel instability, but does not leak sensitive data or enable privilege escalation.
How do I know if my device is affected?
Check if your kernel has CONFIG_LEDS_QCOM_LPG enabled (cat /boot/config-$(uname -r) | grep LEDS_QCOM) and whether your hardware includes a Qualcomm PMIC or power management IC with integrated LED control. Mobile devices, IoT gateways, and some embedded boards are typical candidates.
This analysis is provided for informational purposes and reflects publicly available information as of the stated modification date. No exploit code, weaponized proof-of-concept, or detailed exploitation techniques are provided herein. Patch availability and affected kernel versions should be verified against official Linux kernel repositories and your distribution's security bulletins. Hardware behavior is dependent on specific SoC revisions and firmware versions; consult Qualcomm or your device manufacturer for definitive impact assessment. SEC.co makes no warranty regarding completeness or accuracy of affected product lists; always cross-reference against vendor advisories. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Affected vendors
Related vulnerabilities
- CVE-2025-71313MEDIUMLinux Kernel PCI Endpoint NULL Pointer Dereference
- CVE-2025-71314MEDIUMLinux Panthor GPU Driver Denial of Service via Cache Flush Timeout
- CVE-2025-71315MEDIUMLinux Kernel vkms DRM Vblank Timer Denial of Service
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10018MEDIUMInteger Overflow in Chrome ANGLE GPU Graphics Layer
- CVE-2026-10912MEDIUMChrome Extension Same-Origin Policy Bypass (CVSS 6.5)
- CVE-2026-10916MEDIUMChrome DevTools UXSS Vulnerability
- CVE-2026-10998MEDIUMChrome Media Out-of-Bounds Memory Read Vulnerability