Bug 2492395 (CVE-2026-52948) - CVE-2026-52948 kernel: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl
Summary: CVE-2026-52948 kernel: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl
Keywords:
Status: NEW
Alias: CVE-2026-52948
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-24 18:09 UTC by OSIDB Bzimport
Modified: 2026-06-26 15:01 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-24 18:09:45 UTC
In the Linux kernel, the following vulnerability has been resolved:

i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl

While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong
timeout value` warning was observed, accompanied by SMBus controller
state machine corruption.

The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of
10 ms. The user argument is checked against INT_MAX, but it is
subsequently multiplied by 10 before being passed to msecs_to_jiffies().

A malicious user can pass a large value (e.g., 429496729) that passes
the `arg > INT_MAX` check but overflows when multiplied by 10. This
results in a truncated 32-bit unsigned value that bypasses the
internal `(int)m < 0` check in `msecs_to_jiffies()`.

The truncated value is then assigned to `client->adapter->timeout`
(a signed 32-bit int), which is reinterpreted as a negative number.
When passed to wait_for_completion_timeout(), this negative value
undergoes sign extension to a 64-bit unsigned long, triggering the
`schedule_timeout` warning and causing premature returns. This leaves
the SMBus state machine in an unrecoverable state, constituting a
local Denial of Service (DoS).

Fix this by bounding the user argument to `INT_MAX / 10`.

[wsa: move the comment as well]

Comment 1 Mauro Matteo Cascella 2026-06-26 14:56:54 UTC
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026062403-CVE-2026-52948-e07f@gregkh/T


Note You need to log in before you can comment on or make changes to this bug.