CVE-2026-31627
Published: 24 April 2026
Summary
CVE-2026-31627 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-31627 is a vulnerability in the Linux kernel's i2c-s3c24xx driver, which handles I2C operations for Samsung S3C24xx platforms. The issue arises from a failure to validate the size byte in an I2C SMBUS message before processing it, potentially allowing the message size to exceed the valid range of 0 to I2C_SMBUS_BLOCK_MAX. This mirrors a prior fix in the i2c-tegra driver via commit a6e04f05ce0b, highlighting inconsistent bounds checking across I2C drivers.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation leads to high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), as indicated by the CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U). The unchanged scope (S:U) suggests potential for kernel-level disruption, such as memory corruption or denial of service.
Mitigation involves applying the relevant stable kernel patches referenced in the advisory, including commits 377fae22a137b6b89f3f32399a58c52cf2325416, 71b3c316b22c555d2769126a92b1244b15a9750d, aaaaec39ddbcd06770dca7f1adebc3b1242ebe7b, c0128c7157d639a931353ea344fb44aad6d6e17a, and d87d5620125a03b1eadbd5df39748215d3db7ddb, available via git.kernel.org. These commits explicitly add the size validation logic to resolve the issue.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25520
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: i2c: s3c24xx: check the size of the SMBUS message before using it The first byte of an i2c SMBUS message is the size, and it should be verified to ensure…
more
that it is in the range of 0..I2C_SMBUS_BLOCK_MAX before processing it. This is the same logic that was added in commit a6e04f05ce0b ("i2c: tegra: check msg length in SMBUS block read") to the i2c tegra driver.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel driver memory corruption (missing bounds check on I2C SMBUS size) with low-priv attacker and high C/I/A impact directly enables T1068 (Exploitation for Privilege Escalation) and T1499.004 (Endpoint DoS via Application/System Exploitation).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of the SMBUS message size byte to ensure it falls within 0 to I2C_SMBUS_BLOCK_MAX before processing, addressing the core bounds checking failure in the i2c-s3c24xx driver.
Mandates timely identification, reporting, and application of kernel patches such as commits 377fae22a137b6b89f3f32399a58c52cf2325416 et al., which add the missing size validation.
Vulnerability scanning detects kernel driver flaws like CVE-2026-31627 in the i2c-s3c24xx module, enabling prompt remediation.