CVE-2026-23197
N/A
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
i2c: imx: preserve error state in block data length handler
When a block read returns an invalid length, zero or >I2C_SMBUS_BLOCK_MAX, the length handler sets the state to IMX_I2C_STATE_FAILED. However, i2c_imx_master_isr() unconditionally overwrites this with IMX_I2C_STATE_READ_CONTINUE, causing an endless read loop that overruns buffers and crashes the system.
Guard the state transition to preserve error states set by the length handler.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 5f5c2d4579ca6836f5604cca979debd68ecfe23f < 3f9b508b3eecc00a243edf320bd83834d6a9b482 | affected |
| Linux | Linux | 5f5c2d4579ca6836f5604cca979debd68ecfe23f < b126097b0327437048bd045a0e4d273dea2910dd | affected |
| Linux | Linux | 6.13 | affected |
| Linux | Linux | 0 < 6.13 | unaffected |
| Linux | Linux | 6.18.10 <= 6.18.* | unaffected |
| Linux | Linux | 6.19 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/3f9b508b3eecc00a243edf320bd83834d6a9b482
- https://git.kernel.org/stable/c/b126097b0327437048bd045a0e4d273dea2910dd
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.