Description
In the Linux kernel, the following vulnerability has been resolved:

i2c: imx: preserve error state in block data length handler

When a block read returns an invalid length, zero or >I2C_SMBUS_BLOCK_MAX,
the length handler sets the state to IMX_I2C_STATE_FAILED. However,
i2c_imx_master_isr() unconditionally overwrites this with
IMX_I2C_STATE_READ_CONTINUE, causing an endless read loop that overruns
buffers and crashes the system.

Guard the state transition to preserve error states set by the length
handler.
Published: 2026-02-14
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

The flaw in the i2c:imx driver causes an invalid block read length to set the interface state to a failure condition, but the interrupt handler subsequently overwrites this state unconditionally. The result is an endless read loop that overruns internal buffers and crashes the kernel. The vulnerability therefore leads to a denial of service by causing a kernel panic.

Affected Systems

Vulnerability presence is identified in the Linux kernel versions referenced by the given CPE entries, which include the generic linux_kernel family and the pre‑release 6.19rc1 through 6.19rc8 releases. The specific affected kernel branches are not explicitly enumerated in the source data; users should consult the distributor or kernel maintainer to confirm whether the upstream commit (3f9b508b3eecc00a243edf320bd83834d6a9b482) has been incorporated.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, while the EPSS score of less than 1% suggests a very low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is local: an adversary would need to interact directly with an I2C device managed by the imx driver or forward a malformed block read request, and remote exploitation would require privileged access to the target hardware. Because the flaw leads only to a crash, the primary risk is denial of service rather than arbitrary code execution.

Generated by OpenCVE AI on April 18, 2026 at 18:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that includes the i2c:imx block data length handler fix (commit 3f9b508b3eecc00a243edf320bd83834d6a9b482).
  • If your distribution has not yet released a patched kernel, manually apply the upstream patch or rebuild the kernel with the commit merged.
  • As a temporary measure, disable the imx I2C driver module or restrict access to the affected I2C devices until a patched kernel is available.
  • Verify that the driver implements proper null pointer checks in the block data length handler (CWE‑476) to prevent erroneous state transitions.

Generated by OpenCVE AI on April 18, 2026 at 18:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
CPEs cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Tue, 17 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Sat, 14 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: i2c: imx: preserve error state in block data length handler When a block read returns an invalid length, zero or >I2C_SMBUS_BLOCK_MAX, the length handler sets the state to IMX_I2C_STATE_FAILED. However, i2c_imx_master_isr() unconditionally overwrites this with IMX_I2C_STATE_READ_CONTINUE, causing an endless read loop that overruns buffers and crashes the system. Guard the state transition to preserve error states set by the length handler.
Title i2c: imx: preserve error state in block data length handler
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-02-14T16:27:22.919Z

Reserved: 2026-01-13T15:37:45.985Z

Link: CVE-2026-23197

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-14T17:15:57.540

Modified: 2026-03-19T17:45:01.960

Link: CVE-2026-23197

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-14T00:00:00Z

Links: CVE-2026-23197 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:15:06Z

Weaknesses