{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-48806", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-07-16T11:38:08.896Z", "datePublished": "2024-07-16T11:43:57.598Z", "dateUpdated": "2025-05-04T12:43:44.209Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T12:43:44.209Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\neeprom: ee1004: limit i2c reads to I2C_SMBUS_BLOCK_MAX\n\nCommit effa453168a7 (\"i2c: i801: Don't silently correct invalid transfer\nsize\") revealed that ee1004_eeprom_read() did not properly limit how\nmany bytes to read at once.\n\nIn particular, i2c_smbus_read_i2c_block_data_or_emulated() takes the\nlength to read as an u8.  If count == 256 after taking into account the\noffset and page boundary, the cast to u8 overflows.  And this is common\nwhen user space tries to read the entire EEPROM at once.\n\nTo fix it, limit each read to I2C_SMBUS_BLOCK_MAX (32) bytes, already\nthe maximum length i2c_smbus_read_i2c_block_data_or_emulated() allows."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/misc/eeprom/ee1004.c"], "versions": [{"version": "aca56c298e2a6d20ab6308e203a8d37f2a7759d3", "lessThan": "3937c35493ee2847aaefcfa5460e94b7443eef49", "status": "affected", "versionType": "git"}, {"version": "25714ad6bf5e98025579fa4c08ff2041a663910c", "lessThan": "a37960df7eac3cc8094bd1ab84864e9e32c91345", "status": "affected", "versionType": "git"}, {"version": "be9313f755a7bfa02230b15731d07074d5255ecb", "lessThan": "9a5f471ae380f9fcb9756d453c12ca1f8595a93c", "status": "affected", "versionType": "git"}, {"version": "07d9beb6e3c2e852e884113d6803ea4b3643ae38", "lessThan": "9443ddeb3754e9e382a396b50adc1961301713ce", "status": "affected", "versionType": "git"}, {"version": "effa453168a7eeb8a562ff4edc1dbf9067360a61", "lessThan": "c0689e46be23160d925dca95dfc411f1a0462708", "status": "affected", "versionType": "git"}, {"version": "74650c34f93044d3ab441235f161f9e1e761e96b", "status": "affected", "versionType": "git"}, {"version": "a126a8c3dd51519513141b4fc94fd4813bca2c0f", "status": "affected", "versionType": "git"}, {"version": "202d0e22fe512df0f1cb6253d40ce1058e373247", "status": "affected", "versionType": "git"}, {"version": "7414af7bdad9a9cddb3a765ca98ea207048618c5", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/misc/eeprom/ee1004.c"], "versions": [{"version": "5.4.174", "lessThan": "5.4.180", "status": "affected", "versionType": "semver"}, {"version": "5.10.94", "lessThan": "5.10.101", "status": "affected", "versionType": "semver"}, {"version": "5.15.17", "lessThan": "5.15.24", "status": "affected", "versionType": "semver"}, {"version": "5.16.3", "lessThan": "5.16.10", "status": "affected", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.4.174", "versionEndExcluding": "5.4.180"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10.94", "versionEndExcluding": "5.10.101"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.17", "versionEndExcluding": "5.15.24"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16.3", "versionEndExcluding": "5.16.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.4.300"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.9.298"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.14.263"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.19.226"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/3937c35493ee2847aaefcfa5460e94b7443eef49"}, {"url": "https://git.kernel.org/stable/c/a37960df7eac3cc8094bd1ab84864e9e32c91345"}, {"url": "https://git.kernel.org/stable/c/9a5f471ae380f9fcb9756d453c12ca1f8595a93c"}, {"url": "https://git.kernel.org/stable/c/9443ddeb3754e9e382a396b50adc1961301713ce"}, {"url": "https://git.kernel.org/stable/c/c0689e46be23160d925dca95dfc411f1a0462708"}], "title": "eeprom: ee1004: limit i2c reads to I2C_SMBUS_BLOCK_MAX", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T15:25:01.645Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/3937c35493ee2847aaefcfa5460e94b7443eef49", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a37960df7eac3cc8094bd1ab84864e9e32c91345", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/9a5f471ae380f9fcb9756d453c12ca1f8595a93c", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/9443ddeb3754e9e382a396b50adc1961301713ce", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/c0689e46be23160d925dca95dfc411f1a0462708", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-48806", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T16:58:47.691859Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:34:13.770Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/3937c35493ee2847aaefcfa5460e94b7443eef49", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a37960df7eac3cc8094bd1ab84864e9e32c91345", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/9a5f471ae380f9fcb9756d453c12ca1f8595a93c", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/9443ddeb3754e9e382a396b50adc1961301713ce", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/c0689e46be23160d925dca95dfc411f1a0462708", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T15:25:01.645Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-48806", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T16:58:47.691859Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:21.485Z"}}], "cna": {"title": "eeprom: ee1004: limit i2c reads to I2C_SMBUS_BLOCK_MAX", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "aca56c298e2a6d20ab6308e203a8d37f2a7759d3", "lessThan": "3937c35493ee2847aaefcfa5460e94b7443eef49", "versionType": "git"}, {"status": "affected", "version": "25714ad6bf5e98025579fa4c08ff2041a663910c", "lessThan": "a37960df7eac3cc8094bd1ab84864e9e32c91345", "versionType": "git"}, {"status": "affected", "version": "be9313f755a7bfa02230b15731d07074d5255ecb", "lessThan": "9a5f471ae380f9fcb9756d453c12ca1f8595a93c", "versionType": "git"}, {"status": "affected", "version": "07d9beb6e3c2e852e884113d6803ea4b3643ae38", "lessThan": "9443ddeb3754e9e382a396b50adc1961301713ce", "versionType": "git"}, {"status": "affected", "version": "effa453168a7eeb8a562ff4edc1dbf9067360a61", "lessThan": "c0689e46be23160d925dca95dfc411f1a0462708", "versionType": "git"}, {"status": "affected", "version": "74650c34f93044d3ab441235f161f9e1e761e96b", "versionType": "git"}, {"status": "affected", "version": "a126a8c3dd51519513141b4fc94fd4813bca2c0f", "versionType": "git"}, {"status": "affected", "version": "202d0e22fe512df0f1cb6253d40ce1058e373247", "versionType": "git"}, {"status": "affected", "version": "7414af7bdad9a9cddb3a765ca98ea207048618c5", "versionType": "git"}], "programFiles": ["drivers/misc/eeprom/ee1004.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5.4.174", "lessThan": "5.4.180", "versionType": "semver"}, {"status": "affected", "version": "5.10.94", "lessThan": "5.10.101", "versionType": "semver"}, {"status": "affected", "version": "5.15.17", "lessThan": "5.15.24", "versionType": "semver"}, {"status": "affected", "version": "5.16.3", "lessThan": "5.16.10", "versionType": "semver"}], "programFiles": ["drivers/misc/eeprom/ee1004.c"], "defaultStatus": "unaffected"}], "references": [{"url": "https://git.kernel.org/stable/c/3937c35493ee2847aaefcfa5460e94b7443eef49"}, {"url": "https://git.kernel.org/stable/c/a37960df7eac3cc8094bd1ab84864e9e32c91345"}, {"url": "https://git.kernel.org/stable/c/9a5f471ae380f9fcb9756d453c12ca1f8595a93c"}, {"url": "https://git.kernel.org/stable/c/9443ddeb3754e9e382a396b50adc1961301713ce"}, {"url": "https://git.kernel.org/stable/c/c0689e46be23160d925dca95dfc411f1a0462708"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\neeprom: ee1004: limit i2c reads to I2C_SMBUS_BLOCK_MAX\n\nCommit effa453168a7 (\"i2c: i801: Don't silently correct invalid transfer\nsize\") revealed that ee1004_eeprom_read() did not properly limit how\nmany bytes to read at once.\n\nIn particular, i2c_smbus_read_i2c_block_data_or_emulated() takes the\nlength to read as an u8.  If count == 256 after taking into account the\noffset and page boundary, the cast to u8 overflows.  And this is common\nwhen user space tries to read the entire EEPROM at once.\n\nTo fix it, limit each read to I2C_SMBUS_BLOCK_MAX (32) bytes, already\nthe maximum length i2c_smbus_read_i2c_block_data_or_emulated() allows."}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.4.180", "versionStartIncluding": "5.4.174"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.10.101", "versionStartIncluding": "5.10.94"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.15.24", "versionStartIncluding": "5.15.17"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.16.10", "versionStartIncluding": "5.16.3"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionStartIncluding": "4.4.300"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionStartIncluding": "4.9.298"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionStartIncluding": "4.14.263"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionStartIncluding": "4.19.226"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T12:43:44.209Z"}}}, "cveMetadata": {"cveId": "CVE-2022-48806", "state": "PUBLISHED", "dateUpdated": "2025-05-04T12:43:44.209Z", "dateReserved": "2024-07-16T11:38:08.896Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-07-16T11:43:57.598Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\neeprom: ee1004: limit i2c reads to I2C_SMBUS_BLOCK_MAX\n\nCommit effa453168a7 (\"i2c: i801: Don't silently correct invalid transfer\nsize\") revealed that ee1004_eeprom_read() did not properly limit how\nmany bytes to read at once.\n\nIn particular, i2c_smbus_read_i2c_block_data_or_emulated() takes the\nlength to read as an u8.  If count == 256 after taking into account the\noffset and page boundary, the cast to u8 overflows.  And this is common\nwhen user space tries to read the entire EEPROM at once.\n\nTo fix it, limit each read to I2C_SMBUS_BLOCK_MAX (32) bytes, already\nthe maximum length i2c_smbus_read_i2c_block_data_or_emulated() allows."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: eeprom: ee1004: limitar las lecturas de i2c a I2C_SMBUS_BLOCK_MAX El commit effa453168a7 (\"i2c: i801: No corrija silenciosamente el tama\u00f1o de transferencia no v\u00e1lido\") revel\u00f3 que ee1004_eeprom_read() no limitaba adecuadamente cu\u00e1ntas bytes para leer a la vez. En particular, i2c_smbus_read_i2c_block_data_or_emulated() toma la longitud para leer como u8. Si el recuento == 256 despu\u00e9s de tener en cuenta el desplazamiento y el l\u00edmite de la p\u00e1gina, la conversi\u00f3n a u8 se desborda. Y esto es com\u00fan cuando el espacio del usuario intenta leer toda la EEPROM a la vez. Para solucionarlo, limite cada lectura a I2C_SMBUS_BLOCK_MAX (32) bytes, ya que la longitud m\u00e1xima que permite i2c_smbus_read_i2c_block_data_or_emulated()."}], "id": "CVE-2022-48806", "lastModified": "2024-11-21T07:34:07.470", "metrics": {}, "published": "2024-07-16T12:15:04.980", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3937c35493ee2847aaefcfa5460e94b7443eef49"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9443ddeb3754e9e382a396b50adc1961301713ce"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9a5f471ae380f9fcb9756d453c12ca1f8595a93c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a37960df7eac3cc8094bd1ab84864e9e32c91345"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c0689e46be23160d925dca95dfc411f1a0462708"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/3937c35493ee2847aaefcfa5460e94b7443eef49"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/9443ddeb3754e9e382a396b50adc1961301713ce"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/9a5f471ae380f9fcb9756d453c12ca1f8595a93c"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/a37960df7eac3cc8094bd1ab84864e9e32c91345"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/c0689e46be23160d925dca95dfc411f1a0462708"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: eeprom: ee1004: limit i2c reads to I2C_SMBUS_BLOCK_MAX", "id": "2298142", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2298142"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.4", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-190", "details": ["In the Linux kernel, the following vulnerability has been resolved:\neeprom: ee1004: limit i2c reads to I2C_SMBUS_BLOCK_MAX\nCommit effa453168a7 (\"i2c: i801: Don't silently correct invalid transfer\nsize\") revealed that ee1004_eeprom_read() did not properly limit how\nmany bytes to read at once.\nIn particular, i2c_smbus_read_i2c_block_data_or_emulated() takes the\nlength to read as an u8.  If count == 256 after taking into account the\noffset and page boundary, the cast to u8 overflows.  And this is common\nwhen user space tries to read the entire EEPROM at once.\nTo fix it, limit each read to I2C_SMBUS_BLOCK_MAX (32) bytes, already\nthe maximum length i2c_smbus_read_i2c_block_data_or_emulated() allows."], "name": "CVE-2022-48806", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-07-16T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-48806\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-48806\nhttps://lore.kernel.org/linux-cve-announce/2024071645-CVE-2022-48806-445c@gregkh/T"], "threat_severity": "Low"}