CVE-2020-36783: i2c: img-scb: fix reference leak when pm_runtime_get_sync fails
In the Linux kernel, the following vulnerability has been resolved:
i2c: img-scb: fix reference leak when pm_runtime_get_sync fails
The PM reference count is not expected to be incremented on
return in functions img_i2c_xfer and img_i2c_init.
However, pm_runtime_get_sync will increment the PM reference
count even failed. Forgetting to putting operation will result
in a reference leak here.
Replace it with pm_runtime_resume_and_get to keep usage
counter balanced.
Security readout for executives and security teams
Plain-English summary
This is a Linux kernel driver bug that can leave a power-management reference stuck after an error. Affected systems using the img-scb I2C controller driver may waste resources or behave incorrectly. The sources do not provide CVSS, practical impact, or an attack path, so urgency depends on whether the vulnerable driver and kernel are present.
Executive priority
Handle through normal kernel maintenance unless asset inventory shows affected embedded or hardware-specific Linux systems using this driver. There is no sourced evidence of exploitation or severe business impact, but kernel fixes should not be deferred indefinitely.
Technical view
The img-scb I2C driver used pm_runtime_get_sync in img_i2c_xfer and img_i2c_init. That call can increment the runtime PM usage counter even when it fails, causing a reference leak if not balanced. The kernel fix replaces it with pm_runtime_resume_and_get. CVSS, CWE, and impact details are not provided.
Likely exposure
Exposure appears limited to Linux systems running affected kernel builds with the img-scb I2C driver present and relevant hardware enabled. The source lists Linux kernel versions and stable commits, but does not identify distributions, appliances, or cloud images.
Exploitation context
The provided bundle says this CVE is not in KEV and gives no evidence of active exploitation. It also provides no public exploit status, attacker prerequisites, or remotely reachable attack path. Treat exploitation context as incomplete.
Researcher notes
Evidence supports a runtime PM reference leak in the Linux img-scb I2C driver. The bundle names functions and fix approach but lacks CVSS, CWE, exploitability analysis, and downstream vendor mapping. Avoid broad exposure claims without confirming driver usage and patched kernel lineage.
Mitigation direction
Update to a vendor-supported kernel containing the referenced stable fix.
Check Linux distribution advisories for package-specific fixed kernel versions.
For custom kernels, confirm the img-scb fix is backported.
Prioritize systems where the img-scb I2C driver is enabled or required.
Validation and detection
Inventory Linux kernel versions across affected assets.
Identify systems with the img-scb I2C driver built or loaded.
Verify kernel source or changelog includes the referenced stable fix.
Check vendor advisory status before marking distribution packages remediated.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2020-36783 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.