CVE-2026-23055 Overview
CVE-2026-23055 is a Linux kernel flaw in the Renesas i2c-riic driver. The issue stems from incorrect ordering of system sleep callbacks in the suspend/resume path. I2C transfers can still be attempted while the controller is already suspended, triggering a WARNING from __i2c_smbus_xfer and disrupting devices that depend on I2C during the suspend cycle, such as the isl1208 real-time clock on Renesas RZ/G3E platforms.
Critical Impact
Improper suspend ordering in the riic I2C driver causes transfers to be attempted on a suspended controller, producing kernel warnings and breaking dependent devices like RTCs during system sleep on Renesas RZ/G3E hardware.
Affected Products
- Linux kernel i2c-riic driver (Renesas I2C controller)
- Renesas RZ/G3E platforms (for example, SMARC EVK based on r9a09g047e57)
- Kernel branches containing commit 53326135d0e0 ("i2c: riic: Add suspend/resume support")
Discovery Timeline
- 2026-02-04 - CVE-2026-23055 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2026-23055
Vulnerability Analysis
The i2c-riic driver registered its suspend and resume callbacks in the standard system sleep phase. After the controller was autosuspended through runtime power management, runtime PM was disabled in suspend_late(), leaving no path to wake the controller before the system entered the noirq phase.
During resume, the controller only became available again after resume_early() re-enabled runtime PM. Drivers depending on I2C during the late suspend or early resume window, such as the isl1208 RTC invoked from rtc_suspend(), attempted transfers against a suspended controller. The I2C core detected the violation in __i2c_smbus_xfer and emitted the "Transfer while suspended" warning at drivers/i2c/i2c-core.h:56.
The fix moves suspend handling to the NOIRQ phase. The suspend() callback now wakes the controller while runtime PM is still enabled, suspend_noirq() calls pm_runtime_force_suspend(), resume_noirq() calls pm_runtime_force_resume(), and the resume() callback re-enables autosuspend.
Root Cause
The root cause is inappropriate ordering of system sleep callbacks introduced by commit 53326135d0e0. Placing suspend logic in the standard phase rather than NOIRQ left a window where dependent kernel subsystems requested I2C transfers after the controller was already powered down.
Attack Vector
This is a local reliability and correctness defect triggered through normal system power transitions. No remote attack vector is documented. Exploitation in a security sense is not described in the upstream report; the impact is a kernel warning and broken functionality for I2C-attached devices during suspend and resume.
The vulnerability mechanism is described in prose because no verified exploit code is available. See the upstream commits for the patch implementation: Kernel Git Commit 0b4c0fb, Kernel Git Commit 469f8fe, and Kernel Git Commit e383f09.
Detection Methods for CVE-2026-23055
Indicators of Compromise
- Kernel log entries containing the string Transfer while suspended originating from __i2c_smbus_xfer.
- WARNING backtraces referencing drivers/i2c/i2c-core.h:56 during suspend or resume on Renesas RZ/G3E systems.
- Failed RTC reads in the suspend path, such as isl1208_i2c_read_time invoked from rtc_suspend.
Detection Strategies
- Audit dmesg and persistent kernel logs after suspend/resume cycles for the warning signature.
- Confirm the running kernel includes commit 53326135d0e0 but lacks the NOIRQ fix commits referenced in the upstream patch series.
- Verify driver pm_ops registration on riic devices to ensure NOIRQ callbacks are populated.
Monitoring Recommendations
- Forward kernel ring buffer entries to a centralized log pipeline and alert on i2c-core warnings.
- Track suspend/resume failure rates on fleets of Renesas-based embedded devices.
- Include RTC drift or read failures in post-resume health checks.
How to Mitigate CVE-2026-23055
Immediate Actions Required
- Apply the upstream Linux kernel patch series that relocates riic suspend handling to the NOIRQ phase.
- Rebuild and deploy kernels for affected Renesas RZ/G3E devices.
- Validate suspend and resume on representative hardware after patching.
Patch Information
The fix is delivered through the following upstream commits: Kernel Git Commit 0b4c0fb, Kernel Git Commit 469f8fe, and Kernel Git Commit e383f09. The change moves suspend handling so pm_runtime_force_suspend() runs in suspend_noirq() and pm_runtime_force_resume() runs in resume_noirq(), keeping the controller available for late-suspending and early-resuming devices.
Workarounds
- Disable runtime PM autosuspend for the riic controller on affected boards until the patch is applied.
- Remove or defer I2C-dependent suspend operations, such as RTC reads, where operationally acceptable.
- Pin affected systems to a kernel version prior to commit 53326135d0e0 if patching is not yet possible.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
