HIGH
i2c SMBUS OOB
CVE-2026-31627
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: i2c: s3c24xx: check the size of the SMBUS message before using it The first byte of an i2c SMBUS message is the size, and it should be verified to ensure that it is in the range of 0..I2C_SMBUS_BLOCK_MAX before processing it. This is the same logic that was added in commit a6e04f05ce0b ("i2c: tegra: check msg length in SMBUS block read") to the i2c tegra driver.
02KernelScan AI Analysis
Risk summary
Local attackers with low privileges can trigger an out-of-bounds write in the Samsung S3C24xx I2C driver during SMBUS block read operations. A malicious I2C slave can provide an invalid length byte (0 or greater than I2C_SMBUS_BLOCK_MAX), causing the driver to write beyond the bounds of the SMBUS data buffer. This leads to kernel stack memory corruption, potentially enabling privilege escalation, information disclosure, or system crashes on devices using this I2C controller.
Vulnerability analysis
The vulnerability exists in the SMBUS block read emulation where the driver trusts the first byte received from the I2C bus as the message length without validation. When the I2C_M_RECV_LEN flag is set and the initial message length is 1, the driver adds the received byte to msg->len and continues reading bytes into msg->buf. If the received length exceeds I2C_SMBUS_BLOCK_MAX (32), subsequent bytes are written past the allocated buffer boundary. Because the buffer typically resides on the kernel stack (via union i2c_smbus_data in the SMBUS ioctl path), this constitutes a stack buffer overflow with attacker-controlled data and length. The fix adds bounds checking to reject length values of 0 or greater than I2C_SMBUS_BLOCK_MAX before extending the message length.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.258 | fd1650da24ed |
| 5.15 | 5.15.209 | 8f756a596439 |
| 6.1 | 6.1.175 | 2d262da4bca6 |
| 6.12 | 6.12.83 | d87d5620125a |
| 6.18 | 6.18.24 | 377fae22a137 |
| 6.19 | 6.19.14 | 71b3c316b22c |
| 6.6 | 6.6.136 | fa00738ab30b |
| 7.0 | 7.0.1 | aaaaec39ddbc |
| mainline | 7.1-rc1 | c0128c7157d6 |