What is CVE-2026-46001?

CVE-2026-46001 is a unscored severity Linux kernel vulnerability, affecting Linux kernel versions from 6.9 onward and patched in 6.12.86, 6.18.27, 7.0.4 and others. CVE-2026-46001 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2026-46001?

CVE-2026-46001 has a CVSS score of pending NVD analysis out of 10, rated awaiting scoring severity.

Is there a patch available for CVE-2026-46001?

Yes, CVE-2026-46001 has been patched. Fixed versions include 6.12.86, 6.18.27, 7.0.4 and others. If you are running Linux kernel 6.9 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2026-46001 actively exploited?

CVE-2026-46001 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2026-46001

In the Linux kernel, the following vulnerability has been resolved: hwmon: (pt5161l) Fix bugs in pt5161l_read_block_data() Fix two bugs in pt5161l_read_block_data(): 1. Buffer overrun: The local buffer rbuf is declared as u8 rbuf[24], but i2c_smbus_read_block_data() can return up to I2C_SMBUS_BLOCK_MAX (32) bytes. The i2c-core copies the data into the caller's buffer before the return value can be checked, so the post-read length validation does not prevent a stack overrun if a device returns more than 24 bytes. Resize the buffer to I2C_SMBUS_BLOCK_MAX. 2. Unexpected positive return on length mismatch: When all three retries are exhausted because the device returns data with an unexpected length, i2c_smbus_read_block_data() returns a positive byte count. The function returns this directly, and callers treat any non-negative return as success, processing stale or incomplete buffer contents. Return -EIO when retries are exhausted with a positive return value, preserving the negative error code on I2C failure.

Package Linux Kernel

Published 2026-05-27

Last modified 2026-05-27

Patch available

Yes

Affected versions

Linux kernel versions 6.9 and later are affected. Fixed in 6.12.86, 6.18.27, 7.0.4, 7.1-rc1 and their respective stable series.

Affected from

≥ 6.9

Fixed in

✓ 6.12.86 6.12.x ✓ 6.18.27 6.18.x ✓ 7.0.4 7.0.x ✓ 7.1-rc1

References

The following references provide additional information about CVE-2026-46001 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/24c73e93d6a756e1b8626bb259d2e07c5b89b370
Patch
Kernel patch commit
https://git.kernel.org/stable/c/7eccabff1c9ec15e4b6fe186d5c147b13a9cdb4e
Patch
Kernel patch commit
https://git.kernel.org/stable/c/95d48e37a1304d6148406c799479c0fb505aefa7
Patch

4 patch commits total View all on NVD

Frequently asked questions

What is CVE-2026-46001?

CVE-2026-46001 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 6.9 onward and has been patched in 6.12.86, 6.18.27, 7.0.4 and others. CVE-2026-46001 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
Is there a patch available for CVE-2026-46001?

Yes — CVE-2026-46001 has been patched. Fixed versions include 6.12.86, 6.18.27, 7.0.4 and others. If you are running Linux kernel 6.9 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2026-46001 actively exploited?

No — CVE-2026-46001 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.