CVE Catalog

CVE-2026-53196

MediumCVSS 6.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.28%

20th percentile — higher than 20% of all known CVEs

Summary

A heap overflow vulnerability was found in the io_ti USB serial driver in the Linux kernel. The get_manuf_info() function reads a Size field from the USB device that can be set up to 16377 bytes, while the destination buffer is only 10 bytes, causing a heap overflow of up to 16367 bytes. The fix adds validation of the descriptor length before reading.

Risk Assessment

A malicious USB device can exploit this vulnerability to cause a heap overflow, potentially leading to arbitrary code execution in kernel context or system instability. The attack requires physical access to a USB port.

Recommendation

Immediately update the Linux kernel to a version containing the fix (commit with the patch). Restrict physical access to USB ports on critical systems.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: USB: serial: io_ti: fix heap overflow in get_manuf_info() get_manuf_info() reads le16_to_cpu(rom_desc->Size) bytes from the device I2C EEPROM into a buffer allocated with kmalloc_obj(), which is sizeof(struct edge_ti_manuf_descriptor) = 10 bytes. The Size field comes from the device and is only validated (in check_i2c_image()) to make sure the descriptor fits within TI_MAX_I2C_SIZE (16384 bytes), not against the destination buffer size. A malicious USB device can therefore set Size to any value up to 16377, causing a heap overflow of up to 16367 bytes when plugged into a host running this driver. valid_csum() is called after read_rom() and also iterates buffer[0..Size-1], compounding the out-of-bounds access. Fix by rejecting descriptors with unexpected length before calling read_rom(). [ johan: amend commit message; also check for short descriptors ]

Vulnerability data from NVD (NIST) · CISA KEV · EPSS