CVE-2026-52948

Enriched by CISA
 

In the Linux kernel, the following vulnerability has been resolved: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong timeout value` warning was observed, accompanied by SMBus controller state machine corruption. The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of 10 ms. The user argument is checked against INT_MAX, but it is subsequently multiplied by 10 before being passed to msecs_to_jiffies(). A malicious user can pass a large value (e.g., 429496729) that passes the `arg > INT_MAX` check but overflows when multiplied by 10. This results in a truncated 32-bit unsigned value that bypasses the internal `(int)m < 0` check in `msecs_to_jiffies()`. The truncated value is then assigned to `client->adapter->timeout` (a signed 32-bit int), which is reinterpreted as a negative number. When passed to wait_for_completion_timeout(), this negative value undergoes sign extension to a 64-bit unsigned long, triggering the `schedule_timeout` warning and causing premature returns. This leaves the SMBus state machine in an unrecoverable state, constituting a local Denial of Service (DoS). Fix this by bounding the user argument to `INT_MAX / 10`. [wsa: move the comment as well]
https://nvd.nist.gov/vuln/detail/CVE-2026-52948

Categories

No category defined

References


 

AFFECTED (from MITRE)

Vendor Product Versions
Linux Linux
  • 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < e9ffd5f5050fbb199d270a85614cd27ebed6fbac [affected]
  • 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 0b88ecfbc9dc33b4db8836c37b50cf174e6c0691 [affected]
  • 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 943e318eedbeaeea08ece3f5dd44c982f4ed2ef5 [affected]
  • 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < aa6ef734016912653a909477fb30aeb66c98b3a2 [affected]
  • 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < ff02add34ffd03449b8115904ebe2ec4fed022d4 [affected]
  • 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < ffbcf31f032eb454ebfd29309f51366fe57f4ac4 [affected]
  • 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 4576621dc6577f21a032acfd16c3ad61907a5ea7 [affected]
  • 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 617eb7c0961a8dfcfc811844a6396e406b2923ea [affected]
  • < 5.10.259 [affected]
  • < 5.15.210 [affected]
  • < 6.1.176 [affected]
  • < 6.6.143 [affected]
  • < 6.12.94 [affected]
  • < 6.18.36 [affected]
  • < 7.0.13 [affected]
Linux Linux
  • 5.10.259 ≤ 5.10.* [unaffected]
  • 5.15.210 ≤ 5.15.* [unaffected]
  • 6.1.176 ≤ 6.1.* [unaffected]
  • 6.6.143 ≤ 6.6.* [unaffected]
  • 6.12.94 ≤ 6.12.* [unaffected]
  • 6.18.36 ≤ 6.18.* [unaffected]
  • 7.0.13 ≤ 7.0.* [unaffected]
  • 7.1 ≤ * [unaffected]
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

CPE

cpe start end
Configuration 1
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* < 5.10.259
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* < 5.15.210
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* < 6.1.176
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* < 6.6.143
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* < 6.12.94
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* < 6.18.36
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* < 7.0.13
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* < 7.1

REMEDIATION


EXPLOITS

Exploit-db.com

id description date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits

CAPEC

Common Attack Pattern Enumerations and Classifications

id description severity
No entry