CVE-2026-31627 - Vulnerability Details

- i2c: s3c24xx: check the size of the SMBUS message before using it

Description

In the Linux kernel, the following vulnerability has been resolved:

i2c: s3c24xx: check the size of the SMBUS message before using it

The first byte of an i2c SMBUS message is the size, and it should be
verified to ensure that it is in the range of 0..I2C_SMBUS_BLOCK_MAX
before processing it.

This is the same logic that was added in commit a6e04f05ce0b ("i2c:
tegra: check msg length in SMBUS block read") to the i2c tegra driver.

Published: 2026-04-24

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The kernel driver for the s3c24xx I2C controller processes SMBus messages without first verifying that the size byte declared in the message is within the allowed range defined by I2C_SMBUS_BLOCK_MAX. If an attacker supplies a size value larger than the buffer that will hold the data, the driver copies more bytes than the allocated buffer can contain, corrupting kernel memory and leading to a crash. This is an example of an out‑of‑bounds write that can cause a denial of service. The CVE file lists CWE‑129 as the common weakness associated with this flaw.

Affected Systems

The vulnerability is present in the Linux kernel s3c24xx I2C driver. The known affected kernel releases include 3.10 and all newer kernels that have not incorporated the commit that added the size check. The input does not enumerate system models or device families, so the exact hardware impacted beyond the presence of a s3c24xx I2C controller is not specified. Consequently, any system running an affected kernel build with the s3c24xx driver enabled is potentially vulnerable.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity. The EPSS score of <1% suggests a low probability of exploitation at present, and the vulnerability is not listed in CISA’s KEV catalog. An attacker would need to have the ability to inject transactions onto the local I2C bus, which is typically a physical or local privilege condition. The lack of remote exploitation paths reduces the overall risk, but a patched kernel eliminates the crash risk entirely.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`85747311ecb6167c989093c64a13807366fdd3a9`	affected	< fd1650da24ed54c716aa9b69e9bbd8a662e492da
`85747311ecb6167c989093c64a13807366fdd3a9`	affected	< 8f756a5964396da0fc9e0db33253a5b85dbbcbb6
`85747311ecb6167c989093c64a13807366fdd3a9`	affected	< 2d262da4bca6fab96e2e709feb95b31b0a9a03a7
`85747311ecb6167c989093c64a13807366fdd3a9`	affected	< fa00738ab30b07db1a43b9c85fc56b8cc3b7d197
`85747311ecb6167c989093c64a13807366fdd3a9`	affected	< d87d5620125a03b1eadbd5df39748215d3db7ddb
`85747311ecb6167c989093c64a13807366fdd3a9`	affected	< 377fae22a137b6b89f3f32399a58c52cf2325416
`85747311ecb6167c989093c64a13807366fdd3a9`	affected	< 71b3c316b22c555d2769126a92b1244b15a9750d
`85747311ecb6167c989093c64a13807366fdd3a9`	affected	< aaaaec39ddbcd06770dca7f1adebc3b1242ebe7b
`85747311ecb6167c989093c64a13807366fdd3a9`	affected	< c0128c7157d639a931353ea344fb44aad6d6e17a

Linux

affected

Version	Status	Constraints
`3.10`	affected	—
`0`	unaffected	< 3.10
`5.10.258`	unaffected	≤ 5.10.*
`5.15.209`	unaffected	≤ 5.15.*
`6.1.175`	unaffected	≤ 6.1.*
`6.6.136`	unaffected	≤ 6.6.*
`6.12.83`	unaffected	≤ 6.12.*
`6.18.24`	unaffected	≤ 6.18.*
`6.19.14`	unaffected	≤ 6.19.*
`7.0.1`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:3.10:-::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[85747311ecb6167c989093c64a13807366fdd3a9,fa00738ab30b07db1a43b9c85fc56b8cc3b7d197)`	affected	code_commit	—
`[85747311ecb6167c989093c64a13807366fdd3a9,d87d5620125a03b1eadbd5df39748215d3db7ddb)`	affected	code_commit	—
`[85747311ecb6167c989093c64a13807366fdd3a9,377fae22a137b6b89f3f32399a58c52cf2325416)`	affected	code_commit	—
`[85747311ecb6167c989093c64a13807366fdd3a9,71b3c316b22c555d2769126a92b1244b15a9750d)`	affected	code_commit	—
`[85747311ecb6167c989093c64a13807366fdd3a9,aaaaec39ddbcd06770dca7f1adebc3b1242ebe7b)`	affected	code_commit	—
`[85747311ecb6167c989093c64a13807366fdd3a9,c0128c7157d639a931353ea344fb44aad6d6e17a)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`3.10`	affected	generic	—
`[0,3.10)`	unaffected	generic	—
`[6.6.136,6.6.*]`	unaffected	generic	—
`[6.12.83,6.12.*]`	unaffected	generic	—
`[6.18.24,6.18.*]`	unaffected	generic	—
`[7.0.1,7.0.*]`	unaffected	generic	—
`[7.1-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the kernel to a release that contains the commit a6e04f05ce0b or later, which adds the SMBus message size bounds check.
If the system cannot be updated, apply the relevant patch from the kernel commit to the s3c24xx driver to enforce the size limit.
Limit access to the I2C bus by disabling unused drivers, setting appropriate device permissions, or isolating the bus with hardware controls.

Generated by OpenCVE AI on April 28, 2026 at 23:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6238-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00015.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/2d262da4bca6fab96e2e709feb95b31b0a9a03a7
https://git.kernel.org/stable/c/377fae22a137b6b89f3f32399a58c52cf2325416
https://git.kernel.org/stable/c/71b3c316b22c555d2769126a92b1244b15a9750d
https://git.kernel.org/stable/c/8f756a5964396da0fc9e0db33253a5b85dbbcbb6
https://git.kernel.org/stable/c/aaaaec39ddbcd06770dca7f1adebc3b1242ebe7b
https://git.kernel.org/stable/c/c0128c7157d639a931353ea344fb44aad6d6e17a
https://git.kernel.org/stable/c/d87d5620125a03b1eadbd5df39748215d3db7ddb
https://git.kernel.org/stable/c/fa00738ab30b07db1a43b9c85fc56b8cc3b7d197
https://git.kernel.org/stable/c/fd1650da24ed54c716aa9b69e9bbd8a662e492da
https://lore.kernel.org/linux-cve-announce/2026042427-CVE-2026-31627-bd9b@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31627
https://www.cve.org/CVERecord?id=CVE-2026-31627

History

Mon, 01 Jun 2026 17:00:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/2d262da4bca6fab96e2e709feb95b31b0a9a03a7 https://git.kernel.org/stable/c/8f756a5964396da0fc9e0db33253a5b85dbbcbb6 https://git.kernel.org/stable/c/fd1650da24ed54c716aa9b69e9bbd8a662e492da

Wed, 29 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-129

Mon, 27 Apr 2026 20:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:o:linux:linux_kernel:3.10:-::::::

Mon, 27 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Mon, 27 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/fa00738ab30b07db1a43b9c85fc56b8cc3b7d197

Mon, 27 Apr 2026 11:30:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/c0128c7157d639a931353ea344fb44aad6d6e17a

Sat, 25 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026042427-CVE-2026-31627-bd9b@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31627 https://www.cve.org/CVERecord?id=CVE-2026-31627

Fri, 24 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: i2c: s3c24xx: check the size of the SMBUS message before using it The first byte of an i2c SMBUS message is the size, and it should be verified to ensure that it is in the range of 0..I2C_SMBUS_BLOCK_MAX before processing it. This is the same logic that was added in commit a6e04f05ce0b ("i2c: tegra: check msg length in SMBUS block read") to the i2c tegra driver.
Title		i2c: s3c24xx: check the size of the SMBUS message before using it
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/377fae22a137b6b89f3f32399a58c52cf2325416 https://git.kernel.org/stable/c/71b3c316b22c555d2769126a92b1244b15a9750d https://git.kernel.org/stable/c/aaaaec39ddbcd06770dca7f1adebc3b1242ebe7b https://git.kernel.org/stable/c/d87d5620125a03b1eadbd5df39748215d3db7ddb

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-24T14:42:48.342Z

Updated: 2026-06-01T16:12:59.001Z

Reserved: 2026-03-09T15:48:24.124Z

Link: CVE-2026-31627

Vulnrichment

No data.

NVD

Status : Modified

Published: 2026-04-24T15:16:42.003

Modified: 2026-06-01T17:16:53.753

Link: CVE-2026-31627

Redhat

Severity :

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31627 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-28T23:45:16Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object