Impact
A malicious USB device can send a forged I2C EEPROM Size field up to 16377 bytes to the kernel’s io_ti driver. This value is read into a 10‑byte buffer allocated with kmalloc_obj(), causing a heap overflow. The buffer is later accessed again by valid_csum(), compounding the out-of-bounds read. The resulting kernel memory corruption can enable the attacker to overwrite arbitrary data, potentially leading to privilege escalation or denial of service. The flaw involves input validation (CWE‑20), buffer overread (CWE‑122), and out‑of‑bounds write (CWE‑787).
Affected Systems
All Linux kernel releases that include the io_ti USB serial driver prior to the 183c1076 patch are affected. The vulnerability exists in the generic kernel code and is therefore present across all distributions that ship with this driver. Any system that could connect a USB serial device to a kernel with the vulnerable driver is at risk.
Risk and Exploitability
The CVSS score is 7.0, indicating high severity, while the EPSS score is less than 1%, suggesting a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. An attacker would need physical access to supply a custom USB device; no remote exploitation mechanism is described. Exploitation would involve mounting the device to trigger the overflow and then leveraging the corrupted kernel memory to achieve elevated privileges or crash the system.
OpenCVE Enrichment
Debian DLA