CVE-2026-53196 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

USB: serial: io_ti: fix heap overflow in get_manuf_info()

get_manuf_info() reads le16_to_cpu(rom_desc->Size) bytes from the
device I2C EEPROM into a buffer allocated with kmalloc_obj(), which
is sizeof(struct edge_ti_manuf_descriptor) = 10 bytes.

The Size field comes from the device and is only validated (in
check_i2c_image()) to make sure the descriptor fits within
TI_MAX_I2C_SIZE (16384 bytes), not against the destination buffer size.
A malicious USB device can therefore set Size to any value up to 16377,
causing a heap overflow of up to 16367 bytes when plugged into a host
running this driver.

valid_csum() is called after read_rom() and also iterates
buffer[0..Size-1], compounding the out-of-bounds access.

Fix by rejecting descriptors with unexpected length before calling
read_rom().

[ johan: amend commit message; also check for short descriptors ]

Published: 2026-06-25

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Linux usb serial io_ti driver contains a heap overflow that allows a malicious USB device to set an I2C EEPROM Size field up to 16377 bytes, overflowing a 10‑byte buffer in get_manuf_info() and corrupting kernel memory, potentially leading to arbitrary code execution or a kernel crash.

Affected Systems

All current Linux kernel versions that include the io_ti driver before the 183c1076… patch are affected; the flaw is present in the generic Linux kernel regardless of distribution.

Risk and Exploitability

No CVSS or EPSS score is publicly available and the vulnerability is not listed in KEV, but the heap corruption represents a high‑severity flaw that can be exploited by physically connecting a malicious USB device, giving an attacker the opportunity for privilege escalation or denial of service.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< e168db91442b94e64fa82a7dd297983d48ea5cc0
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 561edb021486e6723d841926aa4b48097da06190
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< cfd634f6dfd40c49a84f9bddc2867a80e2e2623a
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< d92f17af7097d10bdeddf26f66f34b354104b277
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< b849f30d1a9e66aae6b715aaef66e427390cb081
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< f96cf7bf9fbf15d7fcf0c91fec47ba8a010369ea
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< d214d2341d4f9f447e36a7d012cdf6a6631a55f1
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 183c1076eca43bbb3e7bdf597456f91d81c73e74

Linux

affected

Version	Status	Constraints
`2.6.12`	affected	—
`0`	unaffected	< 2.6.12
`5.10.259`	unaffected	≤ 5.10.*
`5.15.210`	unaffected	≤ 5.15.*
`6.1.176`	unaffected	≤ 6.1.*
`6.6.143`	unaffected	≤ 6.6.*
`6.12.94`	unaffected	≤ 6.12.*
`6.18.36`	unaffected	≤ 6.18.*
`7.0.13`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a Linux kernel update that fixes the io_ti driver bug.
Disable the io_ti USB serial driver on systems that do not require it to eliminate the vulnerable code path.
Use udev rules or USB lockdown to block untrusted USB devices from being enumerated as serial devices until a patched kernel is installed.

Generated by OpenCVE AI on June 25, 2026 at 10:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/183c1076eca43bbb3e7bdf597456f91d81c73e74
https://git.kernel.org/stable/c/561edb021486e6723d841926aa4b48097da06190
https://git.kernel.org/stable/c/b849f30d1a9e66aae6b715aaef66e427390cb081
https://git.kernel.org/stable/c/cfd634f6dfd40c49a84f9bddc2867a80e2e2623a
https://git.kernel.org/stable/c/d214d2341d4f9f447e36a7d012cdf6a6631a55f1
https://git.kernel.org/stable/c/d92f17af7097d10bdeddf26f66f34b354104b277
https://git.kernel.org/stable/c/e168db91442b94e64fa82a7dd297983d48ea5cc0
https://git.kernel.org/stable/c/f96cf7bf9fbf15d7fcf0c91fec47ba8a010369ea

History

Thu, 25 Jun 2026 11:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-122 CWE-20

Thu, 25 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: USB: serial: io_ti: fix heap overflow in get_manuf_info() get_manuf_info() reads le16_to_cpu(rom_desc->Size) bytes from the device I2C EEPROM into a buffer allocated with kmalloc_obj(), which is sizeof(struct edge_ti_manuf_descriptor) = 10 bytes. The Size field comes from the device and is only validated (in check_i2c_image()) to make sure the descriptor fits within TI_MAX_I2C_SIZE (16384 bytes), not against the destination buffer size. A malicious USB device can therefore set Size to any value up to 16377, causing a heap overflow of up to 16367 bytes when plugged into a host running this driver. valid_csum() is called after read_rom() and also iterates buffer[0..Size-1], compounding the out-of-bounds access. Fix by rejecting descriptors with unexpected length before calling read_rom(). [ johan: amend commit message; also check for short descriptors ]
Title		USB: serial: io_ti: fix heap overflow in get_manuf_info()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/183c1076eca43bbb3e7bdf597456f91d81c73e74 https://git.kernel.org/stable/c/561edb021486e6723d841926aa4b48097da06190 https://git.kernel.org/stable/c/b849f30d1a9e66aae6b715aaef66e427390cb081 https://git.kernel.org/stable/c/cfd634f6dfd40c49a84f9bddc2867a80e2e2623a https://git.kernel.org/stable/c/d214d2341d4f9f447e36a7d012cdf6a6631a55f1 https://git.kernel.org/stable/c/d92f17af7097d10bdeddf26f66f34b354104b277 https://git.kernel.org/stable/c/e168db91442b94e64fa82a7dd297983d48ea5cc0 https://git.kernel.org/stable/c/f96cf7bf9fbf15d7fcf0c91fec47ba8a010369ea

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-25T08:39:06.330Z

Updated: 2026-06-25T08:39:06.330Z

Reserved: 2026-06-09T07:44:35.391Z

Link: CVE-2026-53196

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-25T11:00:11Z

Weaknesses

CWE-122
Heap-based Buffer Overflow
CWE-20
Improper Input Validation

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object