Description
In the Linux kernel, the following vulnerability has been resolved:

USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr()

build_i2c_fw_hdr() allocates a fixed-size buffer of
(16*1024 - 512) + sizeof(struct ti_i2c_firmware_rec) bytes, then
copies le16_to_cpu(img_header->Length) bytes into it without
validating that Length fits within the available space after the
firmware record header.

img_header->Length is a __le16 from the firmware file and can be
up to 65535. check_fw_sanity() validates the total firmware size
but not img_header->Length specifically.

Fix by rejecting images where img_header->Length exceeds the
available destination space.
Published: 2026-06-25
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A heap overflow occurs in the USB serial io_ti driver during firmware header construction. The function allocates a fixed-size buffer and copies a length field from the firmware image without checking that the length fits within the available space. If a firmware image contains a length that exceeds the buffer, the copy will overwrite adjacent heap memory. This memory corruption could compromise kernel integrity, but no explicit evidence indicates it can be used for remote code execution or privilege escalation.

Affected Systems

The issue affects all Linux kernel builds that implement the io_ti USB serial driver before the patch that applies the firmware header length check. The vulnerability is relevant to generic Linux distributions and any system that uses the kernel version containing the vulnerable driver. Exact version numbers are not specified in the data, so all pre‑patch kernel releases are considered at risk.

Risk and Exploitability

Because the flaw occurs in kernel space, it allows a heap overflow that could corrupt kernel memory. While this could potentially lead to system instability or compromise, no proof of arbitrary code execution is provided. The EPSS score remains < 1%, and the vulnerability is not listed in CISA KEV, with a CVSS score of 7.0. The likely attack vector is a malicious USB device supplying a crafted firmware image, and exploitation would require the host to process the image before the patch is applied, which poses a risk to systems that accept untrusted USB devices.

Generated by OpenCVE AI on June 26, 2026 at 17:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that rejects firmware images where the header length exceeds the available buffer space.
  • Reboot the system to load the updated kernel and ensure the patch is active.
  • Restrict USB device usage to trusted sources and consider disabling the io_ti driver on systems that do not require it.
  • Verify that the firmware update mechanism enforces the same length validation to prevent replay of malicious images.

Generated by OpenCVE AI on June 26, 2026 at 17:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Fri, 26 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122

Fri, 26 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate


Thu, 25 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr() build_i2c_fw_hdr() allocates a fixed-size buffer of (16*1024 - 512) + sizeof(struct ti_i2c_firmware_rec) bytes, then copies le16_to_cpu(img_header->Length) bytes into it without validating that Length fits within the available space after the firmware record header. img_header->Length is a __le16 from the firmware file and can be up to 65535. check_fw_sanity() validates the total firmware size but not img_header->Length specifically. Fix by rejecting images where img_header->Length exceeds the available destination space.
Title USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:39:05.673Z

Reserved: 2026-06-09T07:44:35.390Z

Link: CVE-2026-53195

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53195 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T18:00:06Z

Weaknesses
  • CWE-120

    Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')