CVE-2026-52948
Received Received - Intake
BaseFortify

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong timeout value` warning was observed, accompanied by SMBus controller state machine corruption. The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of 10 ms. The user argument is checked against INT_MAX, but it is subsequently multiplied by 10 before being passed to msecs_to_jiffies(). A malicious user can pass a large value (e.g., 429496729) that passes the `arg > INT_MAX` check but overflows when multiplied by 10. This results in a truncated 32-bit unsigned value that bypasses the internal `(int)m < 0` check in `msecs_to_jiffies()`. The truncated value is then assigned to `client->adapter->timeout` (a signed 32-bit int), which is reinterpreted as a negative number. When passed to wait_for_completion_timeout(), this negative value undergoes sign extension to a 64-bit unsigned long, triggering the `schedule_timeout` warning and causing premature returns. This leaves the SMBus state machine in an unrecoverable state, constituting a local Denial of Service (DoS). Fix this by bounding the user argument to `INT_MAX / 10`. [wsa: move the comment as well]
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-52948
EUVD
EUVD-2026-38816
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux linux_kernel to 429496729 (exc)
linux linux_kernel to 5.10.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's I2C driver, specifically in the handling of the I2C_TIMEOUT ioctl command.

The ioctl accepts a user-provided timeout value in multiples of 10 milliseconds. Although the input is checked against the maximum integer value (INT_MAX), it is then multiplied by 10 without proper bounds checking, which can cause an integer overflow.

A malicious user can supply a large timeout value that passes the initial check but overflows when multiplied by 10. This overflow results in a truncated 32-bit unsigned value that bypasses further internal checks.

This truncated value is assigned to a signed 32-bit integer representing the timeout, which can be interpreted as a negative number. When this negative timeout is used in kernel functions, it triggers warnings and causes premature returns, leaving the SMBus controller's state machine corrupted and unrecoverable.

Overall, this leads to a local Denial of Service (DoS) condition by disrupting the SMBus controller's normal operation.

Impact Analysis

This vulnerability can cause a local Denial of Service (DoS) on affected Linux systems.

By exploiting the integer overflow in the I2C_TIMEOUT ioctl, an attacker with local access can corrupt the SMBus controller's state machine, causing it to become unrecoverable.

This disruption can lead to malfunctioning of hardware components that rely on the SMBus, potentially affecting system stability or functionality.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability manifests as a persistent "schedule_timeout: wrong timeout value" warning in the Linux kernel logs, accompanied by SMBus controller state machine corruption.

To detect this issue on your system, you can monitor the kernel logs for the specific warning message.

  • Use the command: dmesg | grep 'schedule_timeout: wrong timeout value'
  • Check system logs with: journalctl -k | grep 'schedule_timeout: wrong timeout value'

These commands help identify if the kernel has logged the warning related to this vulnerability, indicating potential exploitation or occurrence.

Mitigation Strategies

The vulnerability is caused by an integer overflow in the I2C_TIMEOUT ioctl handling in the Linux kernel.

Immediate mitigation involves updating the Linux kernel to a version where this issue has been fixed, specifically where the user argument to the ioctl is properly bounded to INT_MAX / 10.

Until the kernel is updated, restrict untrusted users from accessing the I2C_TIMEOUT ioctl interface to prevent exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52948. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart