Description
In the Linux kernel, the following vulnerability has been resolved:

USB: serial: io_ti: fix heap overflow in get_manuf_info()

get_manuf_info() reads le16_to_cpu(rom_desc->Size) bytes from the
device I2C EEPROM into a buffer allocated with kmalloc_obj(), which
is sizeof(struct edge_ti_manuf_descriptor) = 10 bytes.

The Size field comes from the device and is only validated (in
check_i2c_image()) to make sure the descriptor fits within
TI_MAX_I2C_SIZE (16384 bytes), not against the destination buffer size.
A malicious USB device can therefore set Size to any value up to 16377,
causing a heap overflow of up to 16367 bytes when plugged into a host
running this driver.

valid_csum() is called after read_rom() and also iterates
buffer[0..Size-1], compounding the out-of-bounds access.

Fix by rejecting descriptors with unexpected length before calling
read_rom().

[ johan: amend commit message; also check for short descriptors ]
Published: 2026-06-25
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A malicious USB device can send a forged I2C EEPROM Size field up to 16377 bytes to the kernel’s io_ti driver. This value is read into a 10‑byte buffer allocated with kmalloc_obj(), causing a heap overflow. The buffer is later accessed again by valid_csum(), compounding the out-of-bounds read. The resulting kernel memory corruption can enable the attacker to overwrite arbitrary data, potentially leading to privilege escalation or denial of service. The flaw involves input validation (CWE‑20), buffer overread (CWE‑122), and out‑of‑bounds write (CWE‑787).

Affected Systems

All Linux kernel releases that include the io_ti USB serial driver prior to the 183c1076 patch are affected. The vulnerability exists in the generic kernel code and is therefore present across all distributions that ship with this driver. Any system that could connect a USB serial device to a kernel with the vulnerable driver is at risk.

Risk and Exploitability

The CVSS score is 7.0, indicating high severity, while the EPSS score is less than 1%, suggesting a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. An attacker would need physical access to supply a custom USB device; no remote exploitation mechanism is described. Exploitation would involve mounting the device to trigger the overflow and then leveraging the corrupted kernel memory to achieve elevated privileges or crash the system.

Generated by OpenCVE AI on June 26, 2026 at 03:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a Linux kernel update that includes the 183c1076 patch for the io_ti driver.
  • If a patch cannot be applied immediately, disable the io_ti USB serial driver on hosts that do not require this functionality by blacklisting the module.
  • Use udev rules or USB lockdown mechanisms to block untrusted USB devices from being enumerated as serial devices until the kernel is updated or the driver is disabled.

Generated by OpenCVE AI on June 26, 2026 at 03:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important


Thu, 25 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122
CWE-20

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: USB: serial: io_ti: fix heap overflow in get_manuf_info() get_manuf_info() reads le16_to_cpu(rom_desc->Size) bytes from the device I2C EEPROM into a buffer allocated with kmalloc_obj(), which is sizeof(struct edge_ti_manuf_descriptor) = 10 bytes. The Size field comes from the device and is only validated (in check_i2c_image()) to make sure the descriptor fits within TI_MAX_I2C_SIZE (16384 bytes), not against the destination buffer size. A malicious USB device can therefore set Size to any value up to 16377, causing a heap overflow of up to 16367 bytes when plugged into a host running this driver. valid_csum() is called after read_rom() and also iterates buffer[0..Size-1], compounding the out-of-bounds access. Fix by rejecting descriptors with unexpected length before calling read_rom(). [ johan: amend commit message; also check for short descriptors ]
Title USB: serial: io_ti: fix heap overflow in get_manuf_info()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-07-15T00:44:34.377Z

Reserved: 2026-06-09T07:44:35.391Z

Link: CVE-2026-53196

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53196 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T03:45:16Z

Weaknesses