CVE-2022-50394

HIGH

Linux Kernel < 4.9.337 - Out-of-Bounds Read

Title source: rule
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: i2c: ismt: Fix an out-of-bounds bug in ismt_access() When the driver does not check the data from the user, the variable 'data->block[0]' may be very large to cause an out-of-bounds bug. The following log can reveal it: [ 33.995542] i2c i2c-1: ioctl, cmd=0x720, arg=0x7ffcb3dc3a20 [ 33.995978] ismt_smbus 0000:00:05.0: I2C_SMBUS_BLOCK_DATA: WRITE [ 33.996475] ================================================================== [ 33.996995] BUG: KASAN: out-of-bounds in ismt_access.cold+0x374/0x214b [ 33.997473] Read of size 18446744073709551615 at addr ffff88810efcfdb1 by task ismt_poc/485 [ 33.999450] Call Trace: [ 34.001849] memcpy+0x20/0x60 [ 34.002077] ismt_access.cold+0x374/0x214b [ 34.003382] __i2c_smbus_xfer+0x44f/0xfb0 [ 34.004007] i2c_smbus_xfer+0x10a/0x390 [ 34.004291] i2cdev_ioctl_smbus+0x2c8/0x710 [ 34.005196] i2cdev_ioctl+0x5ec/0x74c Fix this bug by checking the size of 'data->block[0]' first.

References (9)

Core 9

Scores

CVSS v3 7.1
EPSS 0.0002
EPSS Percentile 3.8%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-125
Status published
Products (9)
linux/Kernel 3.9.0 - 4.9.337linux
linux/Kernel 4.10.0 - 4.14.303linux
linux/Kernel 4.15.0 - 4.19.270linux
linux/Kernel 4.20.0 - 5.4.229linux
linux/Kernel 5.11.0 - 5.15.86linux
linux/Kernel 5.16.0 - 6.0.16linux
linux/Kernel 5.5.0 - 5.10.163linux
linux/Kernel 6.1.0 - 6.1.2linux
linux/linux_kernel 3.9 - 4.9.337
Published Sep 18, 2025
Tracked Since Feb 18, 2026