{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-46332: greybus: gb-beagleplay: bound bootloader receive buffering","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-46332","status":"final","version":"1","initial_release_date":"2026-06-09T12:36:00.450Z","current_release_date":"2026-06-14T04:30:30.392Z","revision_history":[{"date":"2026-06-09T12:36:00.450Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"In the Linux kernel, the following vulnerability has been resolved:\n\ngreybus: gb-beagleplay: bound bootloader receive buffering\n\ncc1352_bootloader_rx() appends each serdev chunk into the fixed\nrx_buffer before parsing bootloader packets. The helper can keep\nleftover bytes between callbacks and may receive multiple packets in one\ncallback, so a single count value is not constrained by one packet\nlength.\n\nCheck that the incoming chunk fits in the remaining receive buffer space\nbefore memcpy(). If it does not, drop the staged data and consume the\nbytes instead of overflowing rx_buffer.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-46332 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-46332"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-46332"},{"category":"external","summary":"git.kernel.org","url":"https://git.kernel.org/stable/c/663c2728a6d0f781044431111b53a27f71027e48"},{"category":"external","summary":"git.kernel.org","url":"https://git.kernel.org/stable/c/fb91d4e49fcbea0b5091394ac5b8f7d4124265c3"},{"category":"external","summary":"git.kernel.org","url":"https://git.kernel.org/stable/c/0339a746ff7cd3f9d10f565e89c99dc93191e58d"},{"category":"external","summary":"git.kernel.org","url":"https://git.kernel.org/stable/c/1214bf28965ceaf584fb20d357731264dd2e10e1"}]},"product_tree":{"branches":[{"category":"vendor","name":"Linux","branches":[{"category":"product_name","name":"Linux","branches":[{"category":"product_version_range","name":">=0cf7befa3ea2e7284d8ba5b8f45a546865b09edb <663c2728a6d0f781044431111b53a27f71027e48","product":{"name":"Linux Linux >=0cf7befa3ea2e7284d8ba5b8f45a546865b09edb <663c2728a6d0f781044431111b53a27f71027e48","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":">=0cf7befa3ea2e7284d8ba5b8f45a546865b09edb =0cf7befa3ea2e7284d8ba5b8f45a546865b09edb =0cf7befa3ea2e7284d8ba5b8f45a546865b09edb <0339a746ff7cd3f9d10f565e89c99dc93191e58d","product":{"name":"Linux Linux >=0cf7befa3ea2e7284d8ba5b8f45a546865b09edb <0339a746ff7cd3f9d10f565e89c99dc93191e58d","product_id":"CSAFPID-3","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":">=0cf7befa3ea2e7284d8ba5b8f45a546865b09edb <1214bf28965ceaf584fb20d357731264dd2e10e1","product":{"name":"Linux Linux >=0cf7befa3ea2e7284d8ba5b8f45a546865b09edb <1214bf28965ceaf584fb20d357731264dd2e10e1","product_id":"CSAFPID-4","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}}]}]},{"category":"vendor","name":"Linux","branches":[{"category":"product_name","name":"Linux","branches":[{"category":"product_version","name":"6.12","product":{"name":"Linux Linux 6.12","product_id":"CSAFPID-5","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:6.12:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"0","product":{"name":"Linux Linux 0","product_id":"CSAFPID-6","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:6.12:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"6.12.86","product":{"name":"Linux Linux 6.12.86","product_id":"CSAFPID-7","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:6.12:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"6.18.27","product":{"name":"Linux Linux 6.18.27","product_id":"CSAFPID-8","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:6.12:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"7.0.4","product":{"name":"Linux Linux 7.0.4","product_id":"CSAFPID-9","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:6.12:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"7.1-rc1","product":{"name":"Linux Linux 7.1-rc1","product_id":"CSAFPID-10","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:6.12:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-46332","title":"greybus: gb-beagleplay: bound bootloader receive buffering","notes":[{"category":"description","text":"In the Linux kernel, the following vulnerability has been resolved:\n\ngreybus: gb-beagleplay: bound bootloader receive buffering\n\ncc1352_bootloader_rx() appends each serdev chunk into the fixed\nrx_buffer before parsing bootloader packets. The helper can keep\nleftover bytes between callbacks and may receive multiple packets in one\ncallback, so a single count value is not constrained by one packet\nlength.\n\nCheck that the incoming chunk fits in the remaining receive buffer space\nbefore memcpy(). If it does not, drop the staged data and consume the\nbytes instead of overflowing rx_buffer.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1","CSAFPID-2","CSAFPID-3","CSAFPID-4","CSAFPID-5"],"fixed":["CSAFPID-6","CSAFPID-7","CSAFPID-8","CSAFPID-9","CSAFPID-10"]},"scores":[{"cvss_v3":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":8,"baseSeverity":"HIGH"},"products":["CSAFPID-1","CSAFPID-2","CSAFPID-3","CSAFPID-4","CSAFPID-5"]}],"remediations":[{"category":"vendor_fix","details":"Update to a fixed version: 0, 0339a746ff7cd3f9d10f565e89c99dc93191e58d, 1214bf28965ceaf584fb20d357731264dd2e10e1, 6.12.86, 6.18.27, 663c2728a6d0f781044431111b53a27f71027e48, 7.0.4, 7.1-rc1, fb91d4e49fcbea0b5091394ac5b8f7d4124265c3.","product_ids":["CSAFPID-1","CSAFPID-2","CSAFPID-3","CSAFPID-4","CSAFPID-5"]}]}]}