HIGH 8.0

CVE-2026-46332: Linux Kernel Greybus BeaglePlay Buffer Overflow

A memory overflow vulnerability exists in the Linux kernel's Greybus BeaglePlay bootloader driver. The vulnerability occurs when the bootloader receives data over a serial device connection. The driver uses a fixed-size buffer to collect incoming data chunks, but it doesn't properly validate whether new data fits into the remaining buffer space before copying it. An attacker with local or adjacent network access could send specially crafted data packets to overflow this buffer, potentially executing arbitrary code or causing system crashes.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.0 HIGH · CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-120
Affected products
1 configuration(s)
Published / Modified
2026-06-09 / 2026-07-08

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: greybus: gb-beagleplay: bound bootloader receive buffering cc1352_bootloader_rx() appends each serdev chunk into the fixed rx_buffer before parsing bootloader packets. The helper can keep leftover bytes between callbacks and may receive multiple packets in one callback, so a single count value is not constrained by one packet length. Check that the incoming chunk fits in the remaining receive buffer space before memcpy(). If it does not, drop the staged data and consume the bytes instead of overflowing rx_buffer.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46332 is a classic buffer overflow (CWE-120) in the cc1352_bootloader_rx() function within the Linux kernel's Greybus gb-beagleplay driver. The function appends serdev (serial device) data chunks into a fixed-size rx_buffer without bounds checking. Because the helper function preserves state between callbacks and may process multiple packets in a single callback, the cumulative data can exceed the buffer's allocated space. The fix implements a pre-copy validation that checks whether the incoming chunk size exceeds remaining buffer capacity. If the buffer would overflow, the staged data is discarded and bytes are consumed to prevent the overflow condition.

Business impact

This vulnerability could allow an attacker to execute arbitrary code on systems running affected Linux kernels with Greybus BeaglePlay hardware support enabled. The impact is limited to systems with this specific hardware or driver enabled, but on vulnerable systems, code execution could lead to complete system compromise, privilege escalation, and lateral movement within networked environments. Organizations deploying BeaglePlay devices or development boards should assess their kernel configurations and deployment inventory.

Affected systems

The vulnerability affects the Linux kernel's Greybus BeaglePlay bootloader driver component. Systems at risk include those running Linux kernels with the gb-beagleplay driver compiled and enabled, particularly BeaglePlay development boards and systems using similar Greybus-based communication hardware. The vulnerability does not affect systems without this driver enabled or running non-Linux operating systems.

Exploitability

Exploitation requires adjacent or local network access (AV:A per CVSS), with low attack complexity and no authentication or user interaction required for the technical exploit. However, the practical exploitation surface is narrowed by the specificity of the hardware and driver combination. An attacker would need either physical proximity to the device's serial communication link or network access if the serial device is exposed over a network medium. The CVSS rating of 8.0 (HIGH) reflects the severity of impact if exploited, though the limited scope of affected deployments may reduce real-world risk in many environments.

Remediation

Apply kernel updates that include the fix for the cc1352_bootloader_rx() function bounds checking. Verify the specific kernel version containing the patch against official Linux kernel security advisories and your distribution's patch releases. As an interim measure, disable the gb-beagleplay driver if the hardware is not in use, or isolate systems running this driver from untrusted network segments.

Patch guidance

Check with your Linux distribution (Red Hat, Ubuntu, Debian, etc.) for kernel updates addressing CVE-2026-46332. The fix involves validating incoming data chunk size against remaining buffer space in cc1352_bootloader_rx(). Verify against the vendor advisory that your kernel version includes the bounds-checking implementation that drops staged data rather than overflowing the buffer when insufficient space remains. Test patches in non-production environments before deployment, particularly if you manage fleets of BeaglePlay or similar Greybus devices.

Detection guidance

Monitor system logs for bootloader communication errors or crashes originating from the Greybus driver. Kernel audit logs may show buffer-related warnings if available. Network-based detection is difficult without visibility into serial device traffic; focus on host-level kernel logs and system stability monitoring. If you manage BeaglePlay hardware, maintain inventory and verify kernel versions in use. Intrusion detection systems may flag unusual patterns in serial communication if it is exposed via network protocols, but direct serial line inspection provides the most reliable detection.

Why prioritize this

While this vulnerability carries a HIGH CVSS score (8.0) due to potential code execution and impact across confidentiality, integrity, and availability, its real-world risk is moderated by the narrow hardware scope. Organizations without BeaglePlay or Greybus-based devices deployed should deprioritize relative to broader kernel vulnerabilities affecting mainstream systems. However, organizations actively using this hardware should treat it as high priority to prevent potential supply chain or development platform compromises.

Risk score, explained

The CVSS 3.1 score of 8.0 reflects a HIGH severity vulnerability because successful exploitation could lead to complete system compromise (high impact across C, I, and A). The vector CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H indicates adjacent access requirement and the need for user interaction, which moderates the score slightly from maximum severity. The score appropriately weights the impact severity against the narrower attack surface compared to network-wide kernel vulnerabilities.

Frequently asked questions

Do I need to patch this immediately if I'm not using BeaglePlay hardware?

No. If you do not have Greybus BeaglePlay drivers enabled in your kernel configuration, this vulnerability does not affect your systems. Verify your kernel configuration to confirm the driver is not compiled in. General Linux administrators managing traditional x86 or ARM servers without Greybus hardware can deprioritize this patch relative to other kernel updates, though staying current is always advisable.

Can this vulnerability be exploited remotely over the network?

Direct remote exploitation is unlikely unless the serial device interface is explicitly bridged to the network through a custom solution. The vulnerability requires adjacent or local access to the serial communication channel. However, in development or IoT environments where serial protocols are networked, the attack surface expands. Assess your specific deployment topology.

What should I do if I'm a BeaglePlay developer or researcher?

Update your kernel immediately to a patched version. BeaglePlay boards are commonly used in embedded systems research and development. If you cannot update immediately, isolate affected development systems from shared networks and limit access to trusted developers only. Verify bootloader communication logs for any anomalies suggesting prior exploitation attempts.

Does this vulnerability affect the bootloader itself or the running kernel?

The vulnerability is in the kernel driver that handles bootloader communication over Greybus. It affects the runtime driver code, not the bootloader binary itself. However, successful exploitation of this driver could potentially compromise system integrity before or after bootloader execution.

This analysis is based on the published vulnerability description and CVSS metrics as of the provided source data. Specific affected kernel versions, patch availability timelines, and distribution-specific update schedules should be verified directly with the Linux kernel security team and your distribution vendor. No exploit code or weaponized proof-of-concept is provided. Organizations should conduct independent testing of patches before production deployment. SEC.co makes no warranty regarding the completeness or accuracy of remediation or detection guidance; security decisions should incorporate multiple data sources and consultation with qualified security professionals. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).