CVE-2026-53196 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved:

USB: serial: io_ti: fix heap overflow in get_manuf_info()

get_manuf_info() reads le16_to_cpu(rom_desc->Size) bytes from the
device I2C EEPROM into a buffer allocated with kmalloc_obj(), which
is sizeof(struct edge_ti_manuf_descriptor) = 10 bytes.

The Size field comes from the device and is only validated (in
check_i2c_image()) to make sure the descriptor fits within
TI_MAX_I2C_SIZE (16384 bytes), not against the destination buffer size.
A malicious USB device can therefore set Size to any value up to 16377,
causing a heap overflow of up to 16367 bytes when plugged into a host
running this driver.

valid_csum() is called after read_rom() and also iterates
buffer[0..Size-1], compounding the out-of-bounds access.

Fix by rejecting descriptors with unexpected length before calling
read_rom().

[ johan: amend commit message; also check for short descriptors ]

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00203.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< e168db91442b94e64fa82a7dd297983d48ea5cc0
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 561edb021486e6723d841926aa4b48097da06190
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< cfd634f6dfd40c49a84f9bddc2867a80e2e2623a
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< d92f17af7097d10bdeddf26f66f34b354104b277
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< b849f30d1a9e66aae6b715aaef66e427390cb081
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< f96cf7bf9fbf15d7fcf0c91fec47ba8a010369ea
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< d214d2341d4f9f447e36a7d012cdf6a6631a55f1
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 183c1076eca43bbb3e7bdf597456f91d81c73e74

Linux

affected

Version	Status	Constraints
`2.6.12`	affected	—
`0`	unaffected	< 2.6.12
`5.10.259`	unaffected	≤ 5.10.*
`5.15.210`	unaffected	≤ 5.15.*
`6.1.176`	unaffected	≤ 6.1.*
`6.6.143`	unaffected	≤ 6.6.*
`6.12.94`	unaffected	≤ 6.12.*
`6.18.36`	unaffected	≤ 6.18.*
`7.0.13`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Linux Subscribe	Linux Kernel Subscribe

Project Subscriptions

Vendors	Products
Linux Subscribe	Linux Kernel Subscribe

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://git.kernel.org/stable/c/183c1076eca43bbb3e7bdf597456f91d81c73e74
https://git.kernel.org/stable/c/561edb021486e6723d841926aa4b48097da06190
https://git.kernel.org/stable/c/b849f30d1a9e66aae6b715aaef66e427390cb081
https://git.kernel.org/stable/c/cfd634f6dfd40c49a84f9bddc2867a80e2e2623a
https://git.kernel.org/stable/c/d214d2341d4f9f447e36a7d012cdf6a6631a55f1
https://git.kernel.org/stable/c/d92f17af7097d10bdeddf26f66f34b354104b277
https://git.kernel.org/stable/c/e168db91442b94e64fa82a7dd297983d48ea5cc0
https://git.kernel.org/stable/c/f96cf7bf9fbf15d7fcf0c91fec47ba8a010369ea

History

Thu, 25 Jun 2026 11:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-122 CWE-20

Thu, 25 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: USB: serial: io_ti: fix heap overflow in get_manuf_info() get_manuf_info() reads le16_to_cpu(rom_desc->Size) bytes from the device I2C EEPROM into a buffer allocated with kmalloc_obj(), which is sizeof(struct edge_ti_manuf_descriptor) = 10 bytes. The Size field comes from the device and is only validated (in check_i2c_image()) to make sure the descriptor fits within TI_MAX_I2C_SIZE (16384 bytes), not against the destination buffer size. A malicious USB device can therefore set Size to any value up to 16377, causing a heap overflow of up to 16367 bytes when plugged into a host running this driver. valid_csum() is called after read_rom() and also iterates buffer[0..Size-1], compounding the out-of-bounds access. Fix by rejecting descriptors with unexpected length before calling read_rom(). [ johan: amend commit message; also check for short descriptors ]
Title		USB: serial: io_ti: fix heap overflow in get_manuf_info()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/183c1076eca43bbb3e7bdf597456f91d81c73e74 https://git.kernel.org/stable/c/561edb021486e6723d841926aa4b48097da06190 https://git.kernel.org/stable/c/b849f30d1a9e66aae6b715aaef66e427390cb081 https://git.kernel.org/stable/c/cfd634f6dfd40c49a84f9bddc2867a80e2e2623a https://git.kernel.org/stable/c/d214d2341d4f9f447e36a7d012cdf6a6631a55f1 https://git.kernel.org/stable/c/d92f17af7097d10bdeddf26f66f34b354104b277 https://git.kernel.org/stable/c/e168db91442b94e64fa82a7dd297983d48ea5cc0 https://git.kernel.org/stable/c/f96cf7bf9fbf15d7fcf0c91fec47ba8a010369ea

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-25T08:39:06.330Z

Updated: 2026-06-25T08:39:06.330Z

Reserved: 2026-06-09T07:44:35.391Z

Link: CVE-2026-53196

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-25T17:45:15Z

Weaknesses

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object