CVE-2026-52948

Source
https://cve.org/CVERecord?id=CVE-2026-52948
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52948.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-52948
Downstream
Published
2026-06-24T16:26:05.719Z
Modified
2026-07-12T03:55:16.627151368Z
Summary
i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl
Details

In the Linux kernel, the following vulnerability has been resolved:

i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl

While fuzzing with Syzkaller, a persistent schedule_timeout: wrong timeout value warning was observed, accompanied by SMBus controller state machine corruption.

The I2CTIMEOUT ioctl accepts a user-provided timeout in multiples of 10 ms. The user argument is checked against INTMAX, but it is subsequently multiplied by 10 before being passed to msecstojiffies().

A malicious user can pass a large value (e.g., 429496729) that passes the arg > INT_MAX check but overflows when multiplied by 10. This results in a truncated 32-bit unsigned value that bypasses the internal (int)m < 0 check in msecs_to_jiffies().

The truncated value is then assigned to client->adapter->timeout (a signed 32-bit int), which is reinterpreted as a negative number. When passed to waitforcompletion_timeout(), this negative value undergoes sign extension to a 64-bit unsigned long, triggering the schedule_timeout warning and causing premature returns. This leaves the SMBus state machine in an unrecoverable state, constituting a local Denial of Service (DoS).

Fix this by bounding the user argument to INT_MAX / 10.

[wsa: move the comment as well]

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/52xxx/CVE-2026-52948.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
cd97f39b7cdf1c8a9c9f52865eec795b7f0c811d
Fixed
e9ffd5f5050fbb199d270a85614cd27ebed6fbac
Fixed
0b88ecfbc9dc33b4db8836c37b50cf174e6c0691
Fixed
943e318eedbeaeea08ece3f5dd44c982f4ed2ef5
Fixed
aa6ef734016912653a909477fb30aeb66c98b3a2
Fixed
ff02add34ffd03449b8115904ebe2ec4fed022d4
Fixed
ffbcf31f032eb454ebfd29309f51366fe57f4ac4
Fixed
4576621dc6577f21a032acfd16c3ad61907a5ea7
Fixed
617eb7c0961a8dfcfc811844a6396e406b2923ea

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52948.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.6.29
Fixed
5.10.259
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.210
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.176
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.143
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.94
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.36
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.13

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-52948.json"