Description
In the Linux kernel, the following vulnerability has been resolved:

i2c: qcom-cci: Fix NULL pointer dereference in cci_remove()

On all modern platforms Qualcomm CCI controller provides two I2C masters,
and on particular boards only one I2C master may be initialized, and in
such cases the device unbinding or driver removal causes a NULL pointer
dereference, because cci_halt() is called for all two I2C masters, but
a completion is initialized only for the single enabled master:

% rmmod i2c-qcom-cci
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
<snip>
Call trace:
__wait_for_common+0x194/0x1a8 (P)
wait_for_completion_timeout+0x20/0x2c
cci_remove+0xc4/0x138 [i2c_qcom_cci]
platform_remove+0x20/0x30
device_remove+0x4c/0x80
device_release_driver_internal+0x1c8/0x224
driver_detach+0x50/0x98
bus_remove_driver+0x6c/0xbc
driver_unregister+0x30/0x60
platform_driver_unregister+0x14/0x20
qcom_cci_driver_exit+0x18/0x1008 [i2c_qcom_cci]
....
Published: 2026-07-01
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A null pointer dereference occurs in the Qualcomm CCI driver when it is removed from the system while only one I²C master is active. The driver calls cci_halt() for both masters but the completion object for the inactive master has never been initialized, causing a dereference of a NULL pointer. The kernel therefore panics with a null pointer exception at address 0, which requires a system reboot to recover. The flaw is purely a local denial‑of‑service that impacts system stability and availability.

Affected Systems

Linux kernels that include the i2c‑qcom‑cci module before the commit addressing this issue are affected. All distributions shipping a kernel that contains the unpatched Qualcomm CCI driver, regardless of version, are vulnerable, since the flaw exists in the source tree and is not tied to a specific release. The risk applies to any system that loads this module and has the privilege to remove it.

Risk and Exploitability

The CVSS score of 5.5 classifies the vulnerability as medium severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV, implying no widely known exploitation. Exploitation requires local access with the privilege to unload kernel modules (root or CAP_SYS_MODULE). An attacker who can execute a command such as rmmod i2c‑qcom‑cci can trigger the crash, leading to a kernel panic and a denial of service until the system is rebooted. No remote or automatic exploitation vector is documented in the data.

Generated by OpenCVE AI on July 2, 2026 at 13:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that contains the commit fixing the null pointer dereference in the i2c‑qcom‑cci driver.
  • If a kernel upgrade is not immediately possible, download the patch from the commits referenced in the advisory, apply it to the local kernel source, rebuild the i2c‑qcom‑cci module, and load the patched version.
  • For systems that do not rely on a Qualcomm CCI controller, blacklist or disable the i2c‑qcom‑cci module or restrict the capability to unload kernel modules so that only trusted accounts can remove it.

Generated by OpenCVE AI on July 2, 2026 at 13:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low


Wed, 01 Jul 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Wed, 01 Jul 2026 13:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: i2c: qcom-cci: Fix NULL pointer dereference in cci_remove() On all modern platforms Qualcomm CCI controller provides two I2C masters, and on particular boards only one I2C master may be initialized, and in such cases the device unbinding or driver removal causes a NULL pointer dereference, because cci_halt() is called for all two I2C masters, but a completion is initialized only for the single enabled master: % rmmod i2c-qcom-cci Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 <snip> Call trace: __wait_for_common+0x194/0x1a8 (P) wait_for_completion_timeout+0x20/0x2c cci_remove+0xc4/0x138 [i2c_qcom_cci] platform_remove+0x20/0x30 device_remove+0x4c/0x80 device_release_driver_internal+0x1c8/0x224 driver_detach+0x50/0x98 bus_remove_driver+0x6c/0xbc driver_unregister+0x30/0x60 platform_driver_unregister+0x14/0x20 qcom_cci_driver_exit+0x18/0x1008 [i2c_qcom_cci] ....
Title i2c: qcom-cci: Fix NULL pointer dereference in cci_remove()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-07-01T13:32:21.709Z

Reserved: 2026-06-09T07:44:35.399Z

Link: CVE-2026-53339

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-07-01T00:00:00Z

Links: CVE-2026-53339 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T13:45:02Z

Weaknesses