CVE-2022-50394
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-18

Last updated on: 2025-12-12

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: i2c: ismt: Fix an out-of-bounds bug in ismt_access() When the driver does not check the data from the user, the variable 'data->block[0]' may be very large to cause an out-of-bounds bug. The following log can reveal it: [ 33.995542] i2c i2c-1: ioctl, cmd=0x720, arg=0x7ffcb3dc3a20 [ 33.995978] ismt_smbus 0000:00:05.0: I2C_SMBUS_BLOCK_DATA: WRITE [ 33.996475] ================================================================== [ 33.996995] BUG: KASAN: out-of-bounds in ismt_access.cold+0x374/0x214b [ 33.997473] Read of size 18446744073709551615 at addr ffff88810efcfdb1 by task ismt_poc/485 [ 33.999450] Call Trace: [ 34.001849] memcpy+0x20/0x60 [ 34.002077] ismt_access.cold+0x374/0x214b [ 34.003382] __i2c_smbus_xfer+0x44f/0xfb0 [ 34.004007] i2c_smbus_xfer+0x10a/0x390 [ 34.004291] i2cdev_ioctl_smbus+0x2c8/0x710 [ 34.005196] i2cdev_ioctl+0x5ec/0x74c Fix this bug by checking the size of 'data->block[0]' first.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-18
Last Modified
2025-12-12
Generated
2026-06-16
AI Q&A
2025-09-18
EPSS Evaluated
2026-06-15
NVD
CVE-2022-50394
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 3.9 (inc) to 4.9.337 (exc)
linux linux_kernel From 4.10 (inc) to 4.14.303 (exc)
linux linux_kernel From 4.15 (inc) to 4.19.270 (exc)
linux linux_kernel From 4.20 (inc) to 5.4.229 (exc)
linux linux_kernel From 5.5 (inc) to 5.10.163 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.86 (exc)
linux linux_kernel From 5.16 (inc) to 6.0.16 (exc)
linux linux_kernel From 6.1 (inc) to 6.1.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an out-of-bounds bug in the Linux kernel's i2c ismt driver, specifically in the ismt_access() function. It occurs because the driver does not properly check the size of the data provided by the user, allowing a very large value in 'data->block[0]' to cause an out-of-bounds memory access. This can lead to kernel memory corruption or crashes.

Detection Guidance

This vulnerability can be detected by checking the system logs for specific kernel messages indicating an out-of-bounds bug in the ismt_access() function. Look for log entries similar to: '[ 33.996995] BUG: KASAN: out-of-bounds in ismt_access.cold' or related traces involving 'ismt_smbus' and 'i2c'. You can use the command 'dmesg | grep -i ismt' or 'journalctl -k | grep -i ismt' to search for these messages in kernel logs.

Mitigation Strategies

The immediate mitigation step is to update the Linux kernel to a version where this vulnerability is fixed, which includes the check on the size of 'data->block[0]' in the ismt driver. Until then, avoid using or exposing the vulnerable i2c ismt driver functionality to untrusted users or processes to prevent exploitation.

Impact Analysis

The vulnerability can cause out-of-bounds memory access in the kernel, potentially leading to system instability, crashes, or security issues such as privilege escalation or denial of service if exploited.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2022-50394. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart