Signedness Error in Network Read Path
Error sentinel values from web_read are propagated as unsigned size arguments to f_write, enabling oversized memory operations.
- CVE
- CVE-2026-6822, CVE-2026-6259
- Vendor
- Inhand Networks
- Product
- 5G Modem
Executive Summary
The analyzed binary’s Explorer-flagged read/write paths were reviewed for, and 2 high-severity findings were confirmed. Both issues are signedness flaws where an error sentinel (0xffffffff) from web_read is propagated into an unsigned size parameter for f_write, creating oversized memory operations. Overall risk is High; exploitation appears remotely reachable via network input, but requires the read-error precondition to trigger the sentinel path.
Binary Profile
- Security Flags: PIE: absent, NX: absent, stack_canary: absent, RELRO: absent
- Risk Level: High
Findings
1. Signed Error Sentinel Used as f_write Length in sub_41a6ac — High
- Function:
sub_41a6ac@0x41a6ac - CWE:
CWE-195 — Signed to Unsigned Conversion Error;CWE-196 — Unsigned to Signed Conversion Error - Category:
memory_corruption - Reachability:
reachable_from_network
Description
sub_41a6ac allocates a bounded heap buffer and then uses the return value of web_read directly as the length argument to f_write. In web_read, the error path returns 0xffffffff (0x4196b4). Without a positivity/error check before the sink, this sentinel is interpreted as a very large unsigned size, causing oversized read behavior from the heap buffer with crash or potential information disclosure impact.
Taint Chain
web_read/fread error sentinel 0xffffffff @ 0x4196b4 →
$v0_4#4 = web_read(...) @ 0x41a798 → $s0_1#3 = $v0_4#4 @ 0x41a7a8 → $a2_1#1 = $s0_1#3 @ 0x41a818 →
f_write(..., $a2_1#1, ...) @ 0x41a814
Mitigations
- Present: none
- Absent:
bounds_check,stack_canary,PIE,NX,RELRO
2. Repeated Signedness Length Propagation in sub_41ab84 — High
- Function:
sub_41ab84@0x41ab84 - CWE:
CWE-195 — Signed to Unsigned Conversion Error;CWE-196 — Unsigned to Signed Conversion Error - Category:
memory_corruption - Reachability:
reachable_from_network
Description
sub_41ab84 repeats the same pattern: it stores web_read’s return value and forwards it directly to f_write as size. If web_read returns 0xffffffff on read failure, the sink consumes it as a huge unsigned length. This enables an oversized operation against the allocated input buffer and can lead to memory safety failures.
Taint Chain
web_read/fread error sentinel 0xffffffff @ 0x4196b4 →
$v0_5#5 = web_read(...) @ 0x41ac68 → $s0_1#3 = $v0_5#5 @ 0x41ac78 → $a2_1#1 = $s0_1#3 @ 0x41acbc →
f_write(..., $a2_1#1, ...) @ 0x41acb8
Mitigations
- Present: none
- Absent:
bounds_check,stack_canary,PIE,NX,RELRO
Recommendation
At the call site in sub_41ab84, gate f_write on successful, non-negative read lengths and clamp to the buffer’s allocated size before passing a2 at 0x41acb8. Centralize this check in a shared helper to prevent recurrence across similar read/write paths.