CVE-2020-36780 is a medium-severity vulnerability identified in the Linux kernel's I2C subsystem, specifically within the Spreadtrum (sprd) driver implementation. The issue arises from improper handling of the power management (PM) runtime reference count in the functions sprd_i2c_master_xfer() and sprd_i2c_remove(). The vulnerability is due to the use of pm_runtime_get_sync(), which increments the PM reference count even when it fails, but the code does not properly decrement or balance this increment in failure scenarios. This leads to a reference leak, where the PM usage counter becomes unbalanced. Over time, this can cause the device to remain in an undesired power state, potentially leading to resource exhaustion or denial of service (DoS) conditions. The fix replaces pm_runtime_get_sync() with pm_runtime_resume_and_get(), which correctly manages the usage counter to prevent leaks. The vulnerability does not affect confidentiality or integrity but impacts availability by potentially causing system instability or crashes due to improper power management. Exploitation requires local access with low privileges and high attack complexity, with no user interaction needed. No known exploits are reported in the wild as of the publication date.

For European organizations, this vulnerability primarily poses a risk to systems running Linux kernels with the affected Spreadtrum I2C driver, which may be embedded in specialized hardware or IoT devices. The impact is mainly on system availability, as the reference leak can cause power management issues leading to device instability or crashes. This can disrupt critical infrastructure or industrial control systems that rely on embedded Linux devices, especially in sectors like manufacturing, telecommunications, and transportation. While the vulnerability does not expose sensitive data or allow privilege escalation, the resulting denial of service could interrupt business operations or degrade service reliability. Organizations using Linux-based embedded systems with Spreadtrum chipsets should be particularly vigilant. The medium severity rating reflects the limited scope and complexity of exploitation but acknowledges the potential for operational disruption.

European organizations should ensure that Linux kernel versions deployed on their devices are updated to include the patch replacing pm_runtime_get_sync() with pm_runtime_resume_and_get() in the Spreadtrum I2C driver. Since this is a kernel-level fix, applying vendor-supplied kernel updates or recompiling the kernel with the patched driver is essential. For embedded systems where kernel updates are challenging, organizations should work with hardware vendors to obtain patched firmware or kernel images. Additionally, monitoring device logs for power management anomalies and unexpected device resets can help detect exploitation attempts. Implementing strict access controls to limit local user access to trusted personnel reduces the risk of exploitation. Finally, organizations should maintain an inventory of devices using Spreadtrum chipsets to prioritize patching and risk assessment.