In the Linux kernel, the following vulnerability has been resolved:

i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl

While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong
timeout value` warning was observed, accompanied by SMBus controller
state machine corruption.

The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of
10 ms. The user argument is checked against INT_MAX, but it is
subsequently multiplied by 10 before being passed to msecs_to_jiffies().

A malicious user can pass a large value (e.g., 429496729) that passes
the `arg > INT_MAX` check but overflows when multiplied by 10. This
results in a truncated 32-bit unsigned value that bypasses the
internal `(int)m < 0` check in `msecs_to_jiffies()`.

The truncated value is then assigned to `client->adapter->timeout`
(a signed 32-bit int), which is reinterpreted as a negative number.
When passed to wait_for_completion_timeout(), this negative value
undergoes sign extension to a 64-bit unsigned long, triggering the
`schedule_timeout` warning and causing premature returns. This leaves
the SMBus state machine in an unrecoverable state, constituting a
local Denial of Service (DoS).

Fix this by bounding the user argument to `INT_MAX / 10`.

[wsa: move the comment as well]

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions
Linux Linux unaffected
Version Status Constraints
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 affected < e9ffd5f5050fbb199d270a85614cd27ebed6fbac
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 affected < 0b88ecfbc9dc33b4db8836c37b50cf174e6c0691
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 affected < 943e318eedbeaeea08ece3f5dd44c982f4ed2ef5
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 affected < aa6ef734016912653a909477fb30aeb66c98b3a2
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 affected < ff02add34ffd03449b8115904ebe2ec4fed022d4
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 affected < ffbcf31f032eb454ebfd29309f51366fe57f4ac4
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 affected < 4576621dc6577f21a032acfd16c3ad61907a5ea7
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 affected < 617eb7c0961a8dfcfc811844a6396e406b2923ea
0 affected < 5.10.259
0 affected < 5.15.210
0 affected < 6.1.176
0 affected < 6.6.143
0 affected < 6.12.94
0 affected < 6.18.36
0 affected < 7.0.13
Linux Linux affected
Version Status Constraints
5.10.259 unaffected ≤ 5.10.*
5.15.210 unaffected ≤ 5.15.*
6.1.176 unaffected ≤ 6.1.*
6.6.143 unaffected ≤ 6.6.*
6.12.94 unaffected ≤ 6.12.*
6.18.36 unaffected ≤ 6.18.*
7.0.13 unaffected ≤ 7.0.*
7.1 unaffected ≤ *

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

No data.

Project Subscriptions

Vendors Products
Linux Subscribe
Linux Kernel Subscribe
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
https://git.kernel.org/stable/c/0b88ecfbc9dc33b4db8836c37b50cf174e6c0691 cve-icon
https://git.kernel.org/stable/c/4576621dc6577f21a032acfd16c3ad61907a5ea7 cve-icon
https://git.kernel.org/stable/c/617eb7c0961a8dfcfc811844a6396e406b2923ea cve-icon
https://git.kernel.org/stable/c/943e318eedbeaeea08ece3f5dd44c982f4ed2ef5 cve-icon
https://git.kernel.org/stable/c/aa6ef734016912653a909477fb30aeb66c98b3a2 cve-icon
https://git.kernel.org/stable/c/e9ffd5f5050fbb199d270a85614cd27ebed6fbac cve-icon
https://git.kernel.org/stable/c/ff02add34ffd03449b8115904ebe2ec4fed022d4 cve-icon
https://git.kernel.org/stable/c/ffbcf31f032eb454ebfd29309f51366fe57f4ac4 cve-icon
History

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong timeout value` warning was observed, accompanied by SMBus controller state machine corruption. The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of 10 ms. The user argument is checked against INT_MAX, but it is subsequently multiplied by 10 before being passed to msecs_to_jiffies(). A malicious user can pass a large value (e.g., 429496729) that passes the `arg > INT_MAX` check but overflows when multiplied by 10. This results in a truncated 32-bit unsigned value that bypasses the internal `(int)m < 0` check in `msecs_to_jiffies()`. The truncated value is then assigned to `client->adapter->timeout` (a signed 32-bit int), which is reinterpreted as a negative number. When passed to wait_for_completion_timeout(), this negative value undergoes sign extension to a 64-bit unsigned long, triggering the `schedule_timeout` warning and causing premature returns. This leaves the SMBus state machine in an unrecoverable state, constituting a local Denial of Service (DoS). Fix this by bounding the user argument to `INT_MAX / 10`. [wsa: move the comment as well]
Title i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:26:05.719Z

Reserved: 2026-06-09T07:44:35.371Z

Link: CVE-2026-52948

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T18:30:06Z

Weaknesses

No weakness.