CVE-2022-50394

Source
https://cve.org/CVERecord?id=CVE-2022-50394
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50394.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-50394
Downstream
Related
Published
2025-09-18T13:33:12.992Z
Modified
2026-07-11T03:54:14.009603879Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVSS Calculator
Summary
i2c: ismt: Fix an out-of-bounds bug in ismt_access()
Details

In the Linux kernel, the following vulnerability has been resolved:

i2c: ismt: Fix an out-of-bounds bug in ismt_access()

When the driver does not check the data from the user, the variable 'data->block[0]' may be very large to cause an out-of-bounds bug.

The following log can reveal it:

[ 33.995542] i2c i2c-1: ioctl, cmd=0x720, arg=0x7ffcb3dc3a20 [ 33.995978] ismtsmbus 0000:00:05.0: I2CSMBUSBLOCKDATA: WRITE [ 33.996475] ================================================================== [ 33.996995] BUG: KASAN: out-of-bounds in ismtaccess.cold+0x374/0x214b [ 33.997473] Read of size 18446744073709551615 at addr ffff88810efcfdb1 by task ismtpoc/485 [ 33.999450] Call Trace: [ 34.001849] memcpy+0x20/0x60 [ 34.002077] ismt_access.cold+0x374/0x214b [ 34.003382] _i2csmbusxfer+0x44f/0xfb0 [ 34.004007] i2csmbusxfer+0x10a/0x390 [ 34.004291] i2cdevioctlsmbus+0x2c8/0x710 [ 34.005196] i2cdevioctl+0x5ec/0x74c

Fix this bug by checking the size of 'data->block[0]' first.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50394.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
13f35ac14cd0a9a1c4f0034c4c40d0ae98844ce9
Fixed
4a7bb1d93addb2f67e36fed00a53cb7f270d7b7a
Fixed
03b7ef7a6c5ca1ff553470166b4919db88b810f6
Fixed
bfe41d966c860a8ad4c735639d616da270c92735
Fixed
cdcbae2c5003747ddfd14e29db9c1d5d7e7c44dd
Fixed
9ac541a0898e8ec187a3fa7024b9701cffae6bf2
Fixed
96c12fd0ec74641295e1c3c34dea3dce1b6c3422
Fixed
a642469d464b2780a25a49b51ae56623c65eac34
Fixed
233348a04becf133283f0076e20b317302de21d9
Fixed
39244cc754829bf707dccd12e2ce37510f5b1f8d

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50394.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.9.0
Fixed
4.9.337
Type
ECOSYSTEM
Events
Introduced
4.10.0
Fixed
4.14.303
Type
ECOSYSTEM
Events
Introduced
4.15.0
Fixed
4.19.270
Type
ECOSYSTEM
Events
Introduced
4.20.0
Fixed
5.4.229
Type
ECOSYSTEM
Events
Introduced
5.5.0
Fixed
5.10.163
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.86
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.0.16
Type
ECOSYSTEM
Events
Introduced
6.1.0
Fixed
6.1.2

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50394.json"