In the Linux kernel, the following vulnerability has been resolved:
tty: hvc_iucv: fix off-by-one in number of supported devices
MAXHVCIUCVLINES == HVCALLOCTTYADAPTERS == 8. This is the number of entries in: static struct hvciucvprivate *hvciucvtable[MAXHVCIUCV_LINES];
Sometimes hvciucvtable[] is limited by: (a) if (num > hvciucvdevices) // for error detection or (b) for (i = 0; i < hvciucvdevices; i++) // in 2 places (so these 2 don't agree; second one appears to be correct to me.)
hvciucvdevices can be 0..8. This is a counter. (c) if (hvciucvdevices > MAXHVCIUCV_LINES)
If hvciucvdevices == 8, (a) allows the code to access hvciucvtable[8]. Oops.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53306.json",
"cna_assigner": "Linux"
}