CVE-2026-23055 in Linux
Summary
by MITRE • 02/04/2026
In the Linux kernel, the following vulnerability has been resolved:
i2c: riic: Move suspend handling to NOIRQ phase
Commit 53326135d0e0 ("i2c: riic: Add suspend/resume support") added suspend support for the Renesas I2C driver and following this change on RZ/G3E the following WARNING is seen on entering suspend ...
[ 134.275704] Freezing remaining freezable tasks completed (elapsed 0.001 seconds)
[ 134.285536] ------------[ cut here ]------------
[ 134.290298] i2c i2c-2: Transfer while suspended
[ 134.295174] WARNING: drivers/i2c/i2c-core.h:56 at __i2c_smbus_xfer+0x1e4/0x214, CPU#0: systemd-sleep/388
[ 134.365507] Tainted: [W]=WARN
[ 134.368485] Hardware name: Renesas SMARC EVK version 2 based on r9a09g047e57 (DT)
[ 134.375961] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 134.382935] pc : __i2c_smbus_xfer+0x1e4/0x214
[ 134.387329] lr : __i2c_smbus_xfer+0x1e4/0x214
[ 134.391717] sp : ffff800083f23860
[ 134.395040] x29: ffff800083f23860 x28: 0000000000000000 x27: ffff800082ed5d60
[ 134.402226] x26: 0000001f4395fd74 x25: 0000000000000007 x24: 0000000000000001
[ 134.409408] x23: 0000000000000000 x22: 000000000000006f x21: ffff800083f23936
[ 134.416589] x20: ffff0000c090e140 x19: ffff0000c090e0d0 x18: 0000000000000006
[ 134.423771] x17: 6f63657320313030 x16: 2e30206465737061 x15: ffff800083f23280
[ 134.430953] x14: 0000000000000000 x13: ffff800082b16ce8 x12: 0000000000000f09
[ 134.438134] x11: 0000000000000503 x10: ffff800082b6ece8 x9 : ffff800082b16ce8
[ 134.445315] x8 : 00000000ffffefff x7 : ffff800082b6ece8 x6 : 80000000fffff000
[ 134.452495] x5 : 0000000000000504 x4 : 0000000000000000 x3 : 0000000000000000
[ 134.459672] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000c9ee9e80
[ 134.466851] Call trace:
[ 134.469311] __i2c_smbus_xfer+0x1e4/0x214 (P)
[ 134.473715] i2c_smbus_xfer+0xbc/0x120
[ 134.477507] i2c_smbus_read_byte_data+0x4c/0x84
[ 134.482077] isl1208_i2c_read_time+0x44/0x178 [rtc_isl1208]
[ 134.487703] isl1208_rtc_read_time+0x14/0x20 [rtc_isl1208]
[ 134.493226] __rtc_read_time+0x44/0x88
[ 134.497012] rtc_read_time+0x3c/0x68
[ 134.500622] rtc_suspend+0x9c/0x170
The warning is triggered because I2C transfers can still be attempted while the controller is already suspended, due to inappropriate ordering of the system sleep callbacks.
If the controller is autosuspended, there is no way to wake it up once runtime PM disabled (in suspend_late()). During system resume, the I2C controller will be available only after runtime PM is re-enabled (in resume_early()). However, this may be too late for some devices.
Wake up the controller in the suspend() callback while runtime PM is still enabled. The I2C controller will remain available until the suspend_noirq() callback (pm_runtime_force_suspend()) is called. During resume, the I2C controller can be restored by the resume_noirq() callback (pm_runtime_force_resume()). Finally, the resume() callback re-enables autosuspend. As a result, the I2C controller can remain available until the system enters suspend_noirq() and from resume_noirq().
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/30/2026
The vulnerability identified as CVE-2026-23055 affects the Linux kernel's handling of I2C suspend and resume operations within the Renesas I2C driver, specifically the riic driver. This issue manifests as a warning message during system suspend on certain Renesas-based platforms, indicating that I2C transfers are attempted while the controller is already suspended. The problem arises from improper ordering of system sleep callbacks, where the I2C controller's suspend handling occurs too late in the suspend sequence, allowing potential I2C operations to proceed while the hardware is effectively disabled. The warning message "i2c i2c-2: Transfer while suspended" is generated when a device attempts to perform an I2C transfer during the suspend process, specifically triggered by functions like __i2c_smbus_xfer, which is part of the core I2c subsystem and is called during operations such as reading RTC time from an isl1208 RTC device.
This vulnerability stems from a fundamental flaw in the I2C driver's power management implementation where the suspend handling logic is incorrectly positioned within the system's power management callback sequence. The issue is categorized under CWE-362, which represents a race condition in concurrent systems, specifically in this case a race condition in the power management subsystem. The root cause lies in how the runtime power management subsystem interacts with the I2C controller's suspend and resume operations, where the controller can be suspended before all pending I2C operations are completed, yet the system still attempts to perform I2C transfers during this period. The technical impact is that I2C operations may fail or cause system instability during suspend transitions, particularly on RZ/G3E platforms where the controller's runtime power management is disabled during the suspend_late() phase.
The operational impact of this vulnerability extends beyond simple system warnings to potentially cause system instability or complete failure of I2C device operations during suspend transitions. When the I2C controller is suspended prematurely, any device drivers attempting to access I2C devices during the suspend process will encounter failures, which can result in the system failing to properly enter or exit suspend states. The vulnerability affects systems using the Renesas I2C driver on platforms such as the Renesas SMARC EVK, where the timing of power management callbacks creates a window where I2C operations can be attempted while the hardware is not properly available. This can lead to system hangs, device malfunctions, or failure to properly complete system suspend and resume operations, potentially affecting system reliability and user experience.
The mitigation strategy implemented in the fix involves moving the suspend handling to the NOIRQ phase of the system suspend sequence, specifically by ensuring that the I2C controller is awakened during the suspend() callback while runtime power management is still enabled. This approach aligns with the ATT&CK technique T1547.001, which involves modifying system boot or startup processes to establish persistence, but in this case it modifies the timing of power management operations to prevent race conditions. The solution ensures that the I2C controller remains available from the suspend() callback until the suspend_noirq() callback, which properly forces the suspension of the controller. During resume, the controller is restored through resume_noirq() and then re-enabled for autosuspend in the resume() callback. This approach prevents I2C transfers from occurring while the controller is suspended, thereby eliminating the warning and ensuring proper power management behavior. The fix addresses the issue by reordering the power management operations to ensure proper synchronization between the I2C subsystem and the system's power management framework, preventing the race condition that was causing the vulnerability.