CVE-2026-52948 - Vulnerability Details

- i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl

Description

In the Linux kernel, the following vulnerability has been resolved:

i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl

While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong
timeout value` warning was observed, accompanied by SMBus controller
state machine corruption.

The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of
10 ms. The user argument is checked against INT_MAX, but it is
subsequently multiplied by 10 before being passed to msecs_to_jiffies().

A malicious user can pass a large value (e.g., 429496729) that passes
the `arg > INT_MAX` check but overflows when multiplied by 10. This
results in a truncated 32-bit unsigned value that bypasses the
internal `(int)m < 0` check in `msecs_to_jiffies()`.

The truncated value is then assigned to `client->adapter->timeout`
(a signed 32-bit int), which is reinterpreted as a negative number.
When passed to wait_for_completion_timeout(), this negative value
undergoes sign extension to a 64-bit unsigned long, triggering the
`schedule_timeout` warning and causing premature returns. This leaves
the SMBus state machine in an unrecoverable state, constituting a
local Denial of Service (DoS).

Fix this by bounding the user argument to `INT_MAX / 10`.

[wsa: move the comment as well]

Published: 2026-06-24

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw occurs in the Linux kernel I2C driver when handling the I2C_TIMEOUT ioctl. A user can supply a timeout value that passes the initial INT_MAX check but, after being multiplied by ten, overflows a 32‑bit integer. The truncated result is then cast to a signed 32‑bit value, interpreted as a negative number, and used in a wait_for_completion_timeout call. The negative value is sign‑extended to an unsigned 64‑bit variable, causing the scheduler to emit a warning and return prematurely, leaving the SMBus controller in an unrecoverable state. An attacker can exploit this locally to trigger a denial of service on an affected device.

Affected Systems

All Linux kernel systems that include the i2c-dev driver are affected. The vulnerability is present in any kernel version that has the bug in the I2C_TIMEOUT ioctl handling before the patch that limits the input to INT_MAX/10. Specific version ranges are not listed, so any unpatched kernel should be considered vulnerable.

Risk and Exploitability

The issue is local; a user with access to the /dev/i2c* device can trigger the overflow. The EPSS score is unavailable and the vulnerability is not in CISA KEV, but the CVSS severity is implied to be high due to the direct local denial of service and the likelihood of exploitation via a standard ioctl interface. The bug can be triggered without special privileges beyond those required to access the device, so any untrusted process that can open the device risks bringing the system to a stopped state by corrupting the SMBus state machine.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< e9ffd5f5050fbb199d270a85614cd27ebed6fbac
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 0b88ecfbc9dc33b4db8836c37b50cf174e6c0691
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 943e318eedbeaeea08ece3f5dd44c982f4ed2ef5
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< aa6ef734016912653a909477fb30aeb66c98b3a2
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< ff02add34ffd03449b8115904ebe2ec4fed022d4
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< ffbcf31f032eb454ebfd29309f51366fe57f4ac4
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 4576621dc6577f21a032acfd16c3ad61907a5ea7
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 617eb7c0961a8dfcfc811844a6396e406b2923ea
`0`	affected	< 5.10.259
`0`	affected	< 5.15.210
`0`	affected	< 6.1.176
`0`	affected	< 6.6.143
`0`	affected	< 6.12.94
`0`	affected	< 6.18.36
`0`	affected	< 7.0.13

Linux

affected

Version	Status	Constraints
`5.10.259`	unaffected	≤ 5.10.*
`5.15.210`	unaffected	≤ 5.15.*
`6.1.176`	unaffected	≤ 6.1.*
`6.6.143`	unaffected	≤ 6.6.*
`6.12.94`	unaffected	≤ 6.12.*
`6.18.36`	unaffected	≤ 6.18.*
`7.0.13`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,e9ffd5f5050fbb199d270a85614cd27ebed6fbac)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,0b88ecfbc9dc33b4db8836c37b50cf174e6c0691)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,943e318eedbeaeea08ece3f5dd44c982f4ed2ef5)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,aa6ef734016912653a909477fb30aeb66c98b3a2)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,ff02add34ffd03449b8115904ebe2ec4fed022d4)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,ffbcf31f032eb454ebfd29309f51366fe57f4ac4)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,4576621dc6577f21a032acfd16c3ad61907a5ea7)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,617eb7c0961a8dfcfc811844a6396e406b2923ea)`	affected	code_commit	—
`[0,5.10.259)`	affected	semver	—
`[0,5.15.210)`	affected	semver	—
`[0,6.1.176)`	affected	semver	—
`[0,6.6.143)`	affected	semver	—
`[0,6.12.94)`	affected	semver	—
`[0,6.18.36)`	affected	semver	—
`[0,7.0.13)`	affected	semver	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[5.10.259,5.11.0)`	unaffected	semver	—
`[5.15.210,5.16.0)`	unaffected	semver	—
`[6.1.176,6.2.0)`	unaffected	semver	—
`[6.6.143,6.7.0)`	unaffected	semver	—
`[6.12.94,6.13.0)`	unaffected	semver	—
`[6.18.36,6.19.0)`	unaffected	semver	—
`[7.0.13,7.1.0)`	unaffected	semver	—
`[7.1,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a kernel update that adds the INT_MAX/10 bound to the I2C_TIMEOUT ioctl input
Ensure /dev/i2c* device files are only readable/writable by privileged users or the specific service that requires access
Monitor system logs for the 'schedule_timeout: wrong timeout value' warning and take corrective action if it appears

Generated by OpenCVE AI on June 24, 2026 at 18:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00185.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0b88ecfbc9dc33b4db8836c37b50cf174e6c0691
https://git.kernel.org/stable/c/4576621dc6577f21a032acfd16c3ad61907a5ea7
https://git.kernel.org/stable/c/617eb7c0961a8dfcfc811844a6396e406b2923ea
https://git.kernel.org/stable/c/943e318eedbeaeea08ece3f5dd44c982f4ed2ef5
https://git.kernel.org/stable/c/aa6ef734016912653a909477fb30aeb66c98b3a2
https://git.kernel.org/stable/c/e9ffd5f5050fbb199d270a85614cd27ebed6fbac
https://git.kernel.org/stable/c/ff02add34ffd03449b8115904ebe2ec4fed022d4
https://git.kernel.org/stable/c/ffbcf31f032eb454ebfd29309f51366fe57f4ac4

History

Wed, 24 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong timeout value` warning was observed, accompanied by SMBus controller state machine corruption. The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of 10 ms. The user argument is checked against INT_MAX, but it is subsequently multiplied by 10 before being passed to msecs_to_jiffies(). A malicious user can pass a large value (e.g., 429496729) that passes the `arg > INT_MAX` check but overflows when multiplied by 10. This results in a truncated 32-bit unsigned value that bypasses the internal `(int)m < 0` check in `msecs_to_jiffies()`. The truncated value is then assigned to `client->adapter->timeout` (a signed 32-bit int), which is reinterpreted as a negative number. When passed to wait_for_completion_timeout(), this negative value undergoes sign extension to a 64-bit unsigned long, triggering the `schedule_timeout` warning and causing premature returns. This leaves the SMBus state machine in an unrecoverable state, constituting a local Denial of Service (DoS). Fix this by bounding the user argument to `INT_MAX / 10`. [wsa: move the comment as well]
Title		i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0b88ecfbc9dc33b4db8836c37b50cf174e6c0691 https://git.kernel.org/stable/c/4576621dc6577f21a032acfd16c3ad61907a5ea7 https://git.kernel.org/stable/c/617eb7c0961a8dfcfc811844a6396e406b2923ea https://git.kernel.org/stable/c/943e318eedbeaeea08ece3f5dd44c982f4ed2ef5 https://git.kernel.org/stable/c/aa6ef734016912653a909477fb30aeb66c98b3a2 https://git.kernel.org/stable/c/e9ffd5f5050fbb199d270a85614cd27ebed6fbac https://git.kernel.org/stable/c/ff02add34ffd03449b8115904ebe2ec4fed022d4 https://git.kernel.org/stable/c/ffbcf31f032eb454ebfd29309f51366fe57f4ac4

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-24T16:26:05.719Z

Updated: 2026-06-24T16:26:05.719Z

Reserved: 2026-06-09T07:44:35.371Z

Link: CVE-2026-52948

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T20:40:36Z

Weaknesses

No weakness.

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object