CVE-2022-50394

HIGH

Linux Kernel - Out-of-bounds Read in ismt_access()

Title source: llm
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: i2c: ismt: Fix an out-of-bounds bug in ismt_access() When the driver does not check the data from the user, the variable 'data->block[0]' may be very large to cause an out-of-bounds bug. The following log can reveal it: [ 33.995542] i2c i2c-1: ioctl, cmd=0x720, arg=0x7ffcb3dc3a20 [ 33.995978] ismt_smbus 0000:00:05.0: I2C_SMBUS_BLOCK_DATA: WRITE [ 33.996475] ================================================================== [ 33.996995] BUG: KASAN: out-of-bounds in ismt_access.cold+0x374/0x214b [ 33.997473] Read of size 18446744073709551615 at addr ffff88810efcfdb1 by task ismt_poc/485 [ 33.999450] Call Trace: [ 34.001849] memcpy+0x20/0x60 [ 34.002077] ismt_access.cold+0x374/0x214b [ 34.003382] __i2c_smbus_xfer+0x44f/0xfb0 [ 34.004007] i2c_smbus_xfer+0x10a/0x390 [ 34.004291] i2cdev_ioctl_smbus+0x2c8/0x710 [ 34.005196] i2cdev_ioctl+0x5ec/0x74c Fix this bug by checking the size of 'data->block[0]' first.

References (9)

Core 9

Scores

CVSS v3 7.1
EPSS 0.0015
EPSS Percentile 4.7%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-125
Status published
Products (29)
linux/Kernel 3.9.0 - 4.9.337linux
linux/Kernel 4.10.0 - 4.14.303linux
linux/Kernel 4.15.0 - 4.19.270linux
linux/Kernel 4.20.0 - 5.4.229linux
linux/Kernel 5.11.0 - 5.15.86linux
linux/Kernel 5.16.0 - 6.0.16linux
linux/Kernel 5.5.0 - 5.10.163linux
linux/Kernel 6.1.0 - 6.1.2linux
Linux/Linux < 3.9
Linux/Linux 13f35ac14cd0a9a1c4f0034c4c40d0ae98844ce9 - 03b7ef7a6c5ca1ff553470166b4919db88b810f6
... and 19 more
Published Sep 18, 2025
Tracked Since Feb 18, 2026