CVE-2026-52948
Analyzed Analyzed - Analysis Complete

Integer Overflow in Linux Kernel I2C Subsystem

Vulnerability report for CVE-2026-52948, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-07-14

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong timeout value` warning was observed, accompanied by SMBus controller state machine corruption. The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of 10 ms. The user argument is checked against INT_MAX, but it is subsequently multiplied by 10 before being passed to msecs_to_jiffies(). A malicious user can pass a large value (e.g., 429496729) that passes the `arg > INT_MAX` check but overflows when multiplied by 10. This results in a truncated 32-bit unsigned value that bypasses the internal `(int)m < 0` check in `msecs_to_jiffies()`. The truncated value is then assigned to `client->adapter->timeout` (a signed 32-bit int), which is reinterpreted as a negative number. When passed to wait_for_completion_timeout(), this negative value undergoes sign extension to a 64-bit unsigned long, triggering the `schedule_timeout` warning and causing premature returns. This leaves the SMBus state machine in an unrecoverable state, constituting a local Denial of Service (DoS). Fix this by bounding the user argument to `INT_MAX / 10`. [wsa: move the comment as well]

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-07-14
Generated
2026-07-15
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 12 associated CPEs
Vendor Product Version / Range
linux linux_kernel 2.6.29
linux linux_kernel 2.6.29
linux linux_kernel 2.6.29
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 5.16 (inc) to 6.1.176 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.143 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.210 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.36 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.94 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.13 (exc)
linux linux_kernel From 2.6.29.1 (inc) to 5.10.259 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's I2C driver, specifically in the handling of the I2C_TIMEOUT ioctl command.

The ioctl accepts a user-provided timeout value in multiples of 10 milliseconds. Although the input is checked against the maximum integer value (INT_MAX), it is then multiplied by 10 without proper bounds checking, which can cause an integer overflow.

A malicious user can supply a large timeout value that passes the initial check but overflows when multiplied by 10. This overflow results in a truncated 32-bit unsigned value that bypasses further internal checks.

This truncated value is assigned to a signed 32-bit integer representing the timeout, which can be interpreted as a negative number. When this negative timeout is used in kernel functions, it triggers warnings and causes premature returns, leaving the SMBus controller's state machine corrupted and unrecoverable.

Overall, this leads to a local Denial of Service (DoS) condition by disrupting the SMBus controller's normal operation.

Impact Analysis

This vulnerability can cause a local Denial of Service (DoS) on affected Linux systems.

By exploiting the integer overflow in the I2C_TIMEOUT ioctl, an attacker with local access can corrupt the SMBus controller's state machine, causing it to become unrecoverable.

This disruption can lead to malfunctioning of hardware components that rely on the SMBus, potentially affecting system stability or functionality.

Detection Guidance

This vulnerability manifests as a persistent "schedule_timeout: wrong timeout value" warning in the Linux kernel logs, accompanied by SMBus controller state machine corruption.

To detect this issue on your system, you can monitor the kernel logs for the specific warning message.

  • Use the command: dmesg | grep 'schedule_timeout: wrong timeout value'
  • Check system logs with: journalctl -k | grep 'schedule_timeout: wrong timeout value'

These commands help identify if the kernel has logged the warning related to this vulnerability, indicating potential exploitation or occurrence.

Mitigation Strategies

The vulnerability is caused by an integer overflow in the I2C_TIMEOUT ioctl handling in the Linux kernel.

Immediate mitigation involves updating the Linux kernel to a version where this issue has been fixed, specifically where the user argument to the ioctl is properly bounded to INT_MAX / 10.

Until the kernel is updated, restrict untrusted users from accessing the I2C_TIMEOUT ioctl interface to prevent exploitation.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52948. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart