Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-53340

CVE-2026-53340: Linux Kernel i2c-imx DoS Vulnerability

CVE-2026-53340 is a denial of service vulnerability in the Linux kernel i2c-imx driver caused by clock and pinctrl state inconsistency in runtime PM. This article covers the technical details, affected systems, and mitigation.

Published:

CVE-2026-53340 Overview

CVE-2026-53340 is a Linux kernel vulnerability in the i2c-imx driver affecting runtime power management (PM) transitions. The flaw stems from an ordering issue in i2c_imx_runtime_suspend(), where the driver disables the I2C controller clock before switching the pinctrl state to sleep. If pinctrl_pm_select_sleep_state() fails, the runtime suspend is aborted while the clock remains disabled. Any subsequent hardware access triggers a system crash. The maintainers have committed a fix that reorders the operations and mirrors the correction in i2c_imx_runtime_resume().

Critical Impact

A failed pinctrl transition during I2C runtime suspend leaves the controller clock disabled, causing a kernel crash when the hardware is next accessed.

Affected Products

  • Linux kernel builds including the drivers/i2c/busses/i2c-imx.c driver
  • NXP i.MX-based platforms using runtime PM for I2C controllers
  • Embedded systems depending on pinctrl state transitions for I2C bus operation

Discovery Timeline

  • 2026-07-01 - CVE-2026-53340 published to NVD
  • 2026-07-01 - Last updated in NVD database

Technical Details for CVE-2026-53340

Vulnerability Analysis

The defect is a state consistency bug in the i2c-imx driver's runtime PM callbacks. In i2c_imx_runtime_suspend(), the original code sequence disables the peripheral clock with clk_disable_unprepare() first, then calls pinctrl_pm_select_sleep_state() to move the pins into their sleep configuration. When the pinctrl transition returns an error, the callback attempts to abort the suspend by returning failure. However, the clock is already disabled at this point and is not restored. The driver is left in a mixed state where the runtime PM framework treats the device as active while the underlying hardware is unclocked. Any register access on that controller from this point onward will fault, crashing the kernel.

Root Cause

The root cause is incorrect ordering of dependent resource transitions in the suspend and resume callbacks. Pinctrl state changes and clock gating are not atomic operations, and the driver did not roll back partial state on failure. This is a resource management defect rather than a memory safety issue and maps to the general class of improper error handling in kernel drivers.

Attack Vector

The vulnerability is not remotely exploitable and requires the runtime PM path to be exercised while pinctrl state selection fails. Triggering conditions are limited to local scenarios where the pinctrl subsystem cannot successfully apply the sleep state. The observable effect is a denial-of-service condition through a kernel crash on affected i.MX platforms. No arbitrary code execution or privilege escalation is documented. The patched driver reverses the sequence: pinctrl state is switched first, and the clock is disabled only after a successful transition. In i2c_imx_runtime_resume(), the pinctrl state is reverted to sleep if clk_enable() fails, preserving consistency.

Detection Methods for CVE-2026-53340

Indicators of Compromise

  • Kernel oops or panic entries referencing the i2c-imx driver or I2C register access on i.MX hardware
  • dmesg messages reporting pinctrl_pm_select_sleep_state failures immediately before a crash
  • Repeated I2C bus resets or device probe failures after runtime PM cycles

Detection Strategies

  • Audit deployed kernel versions on NXP i.MX platforms against the upstream stable commits referenced in the fix
  • Review CI test logs for runtime PM stress tests that exercise I2C suspend and resume paths
  • Correlate kernel crash telemetry with pinctrl error returns in the surrounding log window

Monitoring Recommendations

  • Collect kernel logs from embedded fleet devices and alert on i2c-imx fault signatures
  • Track pinctrl error return codes during power state transitions across the device fleet
  • Monitor unplanned reboot rates on i.MX-based hardware following firmware or kernel updates

How to Mitigate CVE-2026-53340

Immediate Actions Required

  • Identify Linux systems using the i2c-imx driver on NXP i.MX SoCs and inventory their kernel versions
  • Apply the upstream stable kernel patches that reorder the pinctrl and clock operations in the runtime PM callbacks
  • Rebuild and redistribute vendor kernels for embedded devices that consume the affected driver

Patch Information

The fix is available in the upstream Linux stable tree. Refer to the following commits for the exact source changes: Kernel.org Commit 8783fb8, Kernel.org Commit 9fa82cf, and Kernel.org Commit c8f5269. The patches move pinctrl_pm_select_sleep_state() before clk_disable_unprepare() in the suspend path and add a rollback of pinctrl state on clk_enable() failure in the resume path.

Workarounds

  • Disable runtime PM for the affected I2C controllers where operationally acceptable to avoid exercising the faulty transition path
  • Ensure pinctrl sleep state definitions in device tree are valid and reachable so that pinctrl_pm_select_sleep_state() does not return an error
  • Pin embedded device firmware images to a patched kernel build before deploying to production

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.