Skip to main content

Linux Kernel CVE-2026-31627

| EUVDEUVD-2026-25520 HIGH
2026-04-24 Linux GHSA-q8hh-7xg8-pfvm
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 27, 2026 - 20:52 vuln.today
cvss_changed
Patch released
Apr 27, 2026 - 20:43 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 15:37 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
7.8 (HIGH)
Patch available
Apr 24, 2026 - 16:16 EUVD
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25520
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:42 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

i2c: s3c24xx: check the size of the SMBUS message before using it

The first byte of an i2c SMBUS message is the size, and it should be verified to ensure that it is in the range of 0..I2C_SMBUS_BLOCK_MAX before processing it.

This is the same logic that was added in commit a6e04f05ce0b ("i2c: tegra: check msg length in SMBUS block read") to the i2c tegra driver.

AnalysisAI

Buffer overflow in Linux kernel's s3c24xx I2C driver allows local authenticated attackers to achieve arbitrary code execution with high privileges through malformed SMBUS block read messages. The driver fails to validate message length against I2C_SMBUS_BLOCK_MAX before processing, enabling out-of-bounds memory access. Vendor patches available for kernel versions 6.12.83, 6.18.24, 6.19.14, and 7.0.1. EPSS score of 0.02% suggests low observed exploitation activity, with no CISA KEV listing indicating targeted rather than widespread attacks. Attack requires local access and low-level user privileges (CVSS AV:L/PR:L), limiting practical exploitability compared to the high CVSS 7.8 base score.

Technical ContextAI

The vulnerability resides in the Linux kernel's I2C subsystem, specifically the Samsung S3C24xx I2C controller driver (drivers/i2c/busses/i2c-s3c2410.c). I2C SMBUS (System Management Bus) is a two-wire protocol commonly used for low-speed device communication, particularly in embedded systems and hardware monitoring. SMBUS block read operations encode the message length in the first byte, which must not exceed I2C_SMBUS_BLOCK_MAX (32 bytes per specification). The s3c24xx driver lacked bounds checking on this length field before using it to copy data, creating a classic buffer overflow condition. This mirrors CVE-2021-3609 in the Tegra I2C driver (commit a6e04f05ce0b), suggesting a common pattern of missing validation across I2C controller implementations. The affected CPE strings indicate all Linux kernel versions from the initial git commit (1da177e4c3f4) through specific fixed commits, spanning nearly two decades of kernel development. Samsung S3C24xx processors are ARM-based SoCs used in embedded devices, smartphones, and IoT applications, meaning affected systems are likely embedded/mobile rather than server infrastructure.

RemediationAI

Upgrade to patched Linux kernel versions 6.12.83, 6.18.24, 6.19.14, or 7.0.1 depending on your stable branch, available from kernel.org stable tree (https://git.kernel.org/stable/c/d87d5620125a03b1eadbd5df39748215d3db7ddb and related commits). For systems unable to immediately patch, implement compensating controls by restricting access to I2C device nodes: remove world and group permissions on /dev/i2c-* devices using 'chmod 600 /dev/i2c-*' and ensure only trusted root processes access I2C subsystem via udev rules. Alternatively, blacklist the i2c-s3c2410 kernel module if I2C hardware monitoring is not required ('echo "blacklist i2c-s3c2410" >> /etc/modprobe.d/blacklist.conf' and reboot), though this disables legitimate I2C functionality including hardware sensors and power management features. For embedded devices with read-only root filesystems, enforce mandatory access controls (SELinux/AppArmor) denying untrusted processes CAP_SYS_RAWIO capability required for /dev/i2c access, accepting the operational overhead of policy development. Verify patch application by checking kernel version ('uname -r') matches fixed releases or inspecting i2c-s3c2410.c source for length validation logic.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31627 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy