CVE-2026-23092

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iio: dac: ad3552r-hs: fix out-of-bound write in ad3552r_hs_write_data_source<br /> <br /> When simple_write_to_buffer() succeeds, it returns the number of bytes<br /> actually copied to the buffer. The code incorrectly uses &amp;#39;count&amp;#39;<br /> as the index for null termination instead of the actual bytes copied.<br /> If count exceeds the buffer size, this leads to out-of-bounds write.<br /> Add a check for the count and use the return value as the index.<br /> <br /> The bug was validated using a demo module that mirrors the original<br /> code and was tested under QEMU.<br /> <br /> Pattern of the bug:<br /> - A fixed 64-byte stack buffer is filled using count.<br /> - If count &gt; 64, the code still does buf[count] = &amp;#39;\0&amp;#39;, causing an<br /> - out-of-bounds write on the stack.<br /> <br /> Steps for reproduce:<br /> - Opens the device node.<br /> - Writes 128 bytes of A to it.<br /> - This overflows the 64-byte stack buffer and KASAN reports the OOB.<br /> <br /> Found via static analysis. This is similar to the<br /> commit da9374819eb3 ("iio: backend: fix out-of-bound write")