CVE-2026-53196
USB: serial: io_ti: fix heap overflow in get_manuf_info()
Vexday Risk Score
3Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS —EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —
Lifecycle
25 Jun 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
In the Linux kernel, the following vulnerability has been resolved:
USB: serial: io_ti: fix heap overflow in get_manuf_info()
get_manuf_info() reads le16_to_cpu(rom_desc->Size) bytes from the
device I2C EEPROM into a buffer allocated with kmalloc_obj(), which
is sizeof(struct edge_ti_manuf_descriptor) = 10 bytes.
The Size field comes from the device and is only validated (in
check_i2c_image()) to make sure the descriptor fits within
TI_MAX_I2C_SIZE (16384 bytes), not against the destination buffer size.
A malicious USB device can therefore set Size to any value up to 16377,
causing a heap overflow of up to 16367 bytes when plugged into a host
running this driver.
valid_csum() is called after read_rom() and also iterates
buffer[0..Size-1], compounding the out-of-bounds access.
Fix by rejecting descriptors with unexpected length before calling
read_rom().
[ johan: amend commit message; also check for short descriptors ]
Affected products
Linux · LinuxWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://git.kernel.org/stable/c/183c1076eca43bbb3e7bdf597456f91d81c73e74https://git.kernel.org/stable/c/561edb021486e6723d841926aa4b48097da06190https://git.kernel.org/stable/c/b849f30d1a9e66aae6b715aaef66e427390cb081https://git.kernel.org/stable/c/cfd634f6dfd40c49a84f9bddc2867a80e2e2623ahttps://git.kernel.org/stable/c/d214d2341d4f9f447e36a7d012cdf6a6631a55f1https://git.kernel.org/stable/c/d92f17af7097d10bdeddf26f66f34b354104b277https://git.kernel.org/stable/c/e168db91442b94e64fa82a7dd297983d48ea5cc0https://git.kernel.org/stable/c/f96cf7bf9fbf15d7fcf0c91fec47ba8a010369ea