{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-38671", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T04:51:24.031Z", "datePublished": "2025-08-22T16:03:02.151Z", "dateUpdated": "2025-08-28T14:44:37.404Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-08-28T14:44:37.404Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: qup: jump out of the loop in case of timeout\n\nOriginal logic only sets the return value but doesn't jump out of the\nloop if the bus is kept active by a client. This is not expected. A\nmalicious or buggy i2c client can hang the kernel in this case and\nshould be avoided. This is observed during a long time test with a\nPCA953x GPIO extender.\n\nFix it by changing the logic to not only sets the return value, but also\njumps out of the loop and return to the caller with -ETIMEDOUT."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/i2c/busses/i2c-qup.c"], "versions": [{"version": "fbfab1ab065879370541caf0e514987368eb41b2", "lessThan": "cbec4406998185e0311ae97dfacc649f9cd79b0b", "status": "affected", "versionType": "git"}, {"version": "fbfab1ab065879370541caf0e514987368eb41b2", "lessThan": "acfa2948be630ad857535cb36153697f3cbf9ca9", "status": "affected", "versionType": "git"}, {"version": "fbfab1ab065879370541caf0e514987368eb41b2", "lessThan": "d05ec13aa3eb868a60dc961b489053a643863ddc", "status": "affected", "versionType": "git"}, {"version": "fbfab1ab065879370541caf0e514987368eb41b2", "lessThan": "c523bfba46c4b4d7676fb050909533a766698ecd", "status": "affected", "versionType": "git"}, {"version": "fbfab1ab065879370541caf0e514987368eb41b2", "lessThan": "0d33913fce67a93c1eb83396c3c9d6b411dcab33", "status": "affected", "versionType": "git"}, {"version": "fbfab1ab065879370541caf0e514987368eb41b2", "lessThan": "42c4471b30fa203249f476dd42321cd7efb7f6a8", "status": "affected", "versionType": "git"}, {"version": "fbfab1ab065879370541caf0e514987368eb41b2", "lessThan": "89459f168b78e5c801dc8b7ad037b62898bc4f57", "status": "affected", "versionType": "git"}, {"version": "fbfab1ab065879370541caf0e514987368eb41b2", "lessThan": "a7982a14b3012527a9583d12525cd0dc9f8d8934", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/i2c/busses/i2c-qup.c"], "versions": [{"version": "4.17", "status": "affected"}, {"version": "0", "lessThan": "4.17", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.297", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.241", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.190", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.148", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.101", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.41", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.15.9", "lessThanOrEqual": "6.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.16", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.17", "versionEndExcluding": "5.4.297"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.17", "versionEndExcluding": "5.10.241"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.17", "versionEndExcluding": "5.15.190"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.17", "versionEndExcluding": "6.1.148"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.17", "versionEndExcluding": "6.6.101"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.17", "versionEndExcluding": "6.12.41"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.17", "versionEndExcluding": "6.15.9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.17", "versionEndExcluding": "6.16"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/cbec4406998185e0311ae97dfacc649f9cd79b0b"}, {"url": "https://git.kernel.org/stable/c/acfa2948be630ad857535cb36153697f3cbf9ca9"}, {"url": "https://git.kernel.org/stable/c/d05ec13aa3eb868a60dc961b489053a643863ddc"}, {"url": "https://git.kernel.org/stable/c/c523bfba46c4b4d7676fb050909533a766698ecd"}, {"url": "https://git.kernel.org/stable/c/0d33913fce67a93c1eb83396c3c9d6b411dcab33"}, {"url": "https://git.kernel.org/stable/c/42c4471b30fa203249f476dd42321cd7efb7f6a8"}, {"url": "https://git.kernel.org/stable/c/89459f168b78e5c801dc8b7ad037b62898bc4f57"}, {"url": "https://git.kernel.org/stable/c/a7982a14b3012527a9583d12525cd0dc9f8d8934"}], "title": "i2c: qup: jump out of the loop in case of timeout", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: qup: jump out of the loop in case of timeout\n\nOriginal logic only sets the return value but doesn't jump out of the\nloop if the bus is kept active by a client. This is not expected. A\nmalicious or buggy i2c client can hang the kernel in this case and\nshould be avoided. This is observed during a long time test with a\nPCA953x GPIO extender.\n\nFix it by changing the logic to not only sets the return value, but also\njumps out of the loop and return to the caller with -ETIMEDOUT."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: i2c: qup: se sale del bucle en caso de tiempo de espera. La l\u00f3gica original solo establece el valor de retorno, pero no se sale del bucle si un cliente mantiene activo el bus. Esto es inesperado. Un cliente i2c malicioso o con errores puede bloquear el kernel en este caso, por lo que debe evitarse. Esto se observ\u00f3 durante una prueba prolongada con un extensor GPIO PCA953x. Para solucionarlo, cambie la l\u00f3gica para que no solo establezca el valor de retorno, sino que tambi\u00e9n se salga del bucle y regrese al llamador con -ETIMEDOUT."}], "id": "CVE-2025-38671", "lastModified": "2025-08-28T15:15:58.300", "metrics": {}, "published": "2025-08-22T16:15:42.683", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0d33913fce67a93c1eb83396c3c9d6b411dcab33"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/42c4471b30fa203249f476dd42321cd7efb7f6a8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/89459f168b78e5c801dc8b7ad037b62898bc4f57"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a7982a14b3012527a9583d12525cd0dc9f8d8934"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/acfa2948be630ad857535cb36153697f3cbf9ca9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c523bfba46c4b4d7676fb050909533a766698ecd"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/cbec4406998185e0311ae97dfacc649f9cd79b0b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d05ec13aa3eb868a60dc961b489053a643863ddc"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: i2c: qup: jump out of the loop in case of timeout", "id": "2390395", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2390395"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\ni2c: qup: jump out of the loop in case of timeout\nOriginal logic only sets the return value but doesn't jump out of the\nloop if the bus is kept active by a client. This is not expected. A\nmalicious or buggy i2c client can hang the kernel in this case and\nshould be avoided. This is observed during a long time test with a\nPCA953x GPIO extender.\nFix it by changing the logic to not only sets the return value, but also\njumps out of the loop and return to the caller with -ETIMEDOUT."], "name": "CVE-2025-38671", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-08-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-38671\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38671\nhttps://lore.kernel.org/linux-cve-announce/2025082201-CVE-2025-38671-80a3@gregkh/T"], "threat_severity": "Low"}