CVE-2026-23197

When a block read returns an invalid length, zero or >I2CSMBUSBLOCKMAX, the length handler sets the state to IMXI2CSTATEFAILED. However, i2cimxmasterisr() unconditionally overwrites this with IMXI2CSTATEREAD_CONTINUE, causing an endless read loop that overruns buffers and crashes the system.

Guard the state transition to preserve error states set by the length handler.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23197.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

5f5c2d4579ca6836f5604cca979debd68ecfe23f

Fixed

3f9b508b3eecc00a243edf320bd83834d6a9b482

Fixed

b126097b0327437048bd045a0e4d273dea2910dd

Affected versions

v6.*

v6.12

v6.13

v6.13-rc1

v6.13-rc2

v6.13-rc3

v6.13-rc4

v6.13-rc5

v6.13-rc6

v6.13-rc7

v6.14

v6.14-rc1

v6.14-rc2

v6.14-rc3

v6.14-rc4

v6.14-rc5

v6.14-rc6

v6.14-rc7

v6.15

v6.15-rc1

v6.15-rc2

v6.15-rc3

v6.15-rc4

v6.15-rc5

v6.15-rc6

v6.15-rc7

v6.16

v6.16-rc1

v6.16-rc2

v6.16-rc3

v6.16-rc4

v6.16-rc5

v6.16-rc6

v6.16-rc7

v6.17

v6.17-rc1

v6.17-rc2

v6.17-rc3

v6.17-rc4

v6.17-rc5

v6.17-rc6

v6.17-rc7

v6.18

v6.18-rc1

v6.18-rc2

v6.18-rc3

v6.18-rc4

v6.18-rc5

v6.18-rc6

v6.18-rc7

v6.18.1

v6.18.2

v6.18.3

v6.18.4

v6.18.5

v6.18.6

v6.18.7

v6.18.8

v6.18.9

v6.19-rc1

v6.19-rc2

v6.19-rc3

v6.19-rc4

v6.19-rc5

v6.19-rc6

v6.19-rc7

v6.19-rc8

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23197.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.18.10

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23197.json"