i2c Client Timeout Bug in Linux Kernel Affects Multiple Device Operations
CVE-2025-38671

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 22 August 2025

What is CVE-2025-38671?

In the Linux kernel, there is a vulnerability in the i2c: qup module that can lead to system instability when a client maintains an active bus connection despite a timeout. This flaw occurs when the original logic incorrectly handles timeouts, merely setting a return value without properly exiting the loop. Consequently, a malicious or faulty i2c client has the potential to hang the kernel, impeding normal operation. A fix has been implemented to ensure that upon a timeout, the logic now correctly exits the loop and returns to the caller with an appropriate -ETIMEDOUT error, thus mitigating the risk of system hang.

Affected Version(s)

Linux fbfab1ab065879370541caf0e514987368eb41b2

Linux fbfab1ab065879370541caf0e514987368eb41b2 < 0d33913fce67a93c1eb83396c3c9d6b411dcab33

Linux fbfab1ab065879370541caf0e514987368eb41b2 < 42c4471b30fa203249f476dd42321cd7efb7f6a8

References

https://git.kernel.org/stable/c/c523bfba46c4b4d7676fb0509...

https://git.kernel.org/stable/c/0d33913fce67a93c1eb83396c...

https://git.kernel.org/stable/c/42c4471b30fa203249f476dd4...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 22, 2025
Vulnerability Reserved
Apr 16, 2025