Bug 2492787 (CVE-2026-53195)

Summary: CVE-2026-53195 kernel: USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr()
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: rhel-process-autobot, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the `USB: serial: io_ti` module of the Linux kernel. The `build_i2c_fw_hdr()` function allocates a fixed-size buffer but copies data into it without properly validating the input length from the firmware header. This oversight allows an attacker to provide a crafted firmware image, leading to a heap overflow. A successful exploit could result in arbitrary code execution or a denial of service (DoS) on the affected system.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-06-25 10:05:42 UTC
In the Linux kernel, the following vulnerability has been resolved:

USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr()

build_i2c_fw_hdr() allocates a fixed-size buffer of
(16*1024 - 512) + sizeof(struct ti_i2c_firmware_rec) bytes, then
copies le16_to_cpu(img_header->Length) bytes into it without
validating that Length fits within the available space after the
firmware record header.

img_header->Length is a __le16 from the firmware file and can be
up to 65535. check_fw_sanity() validates the total firmware size
but not img_header->Length specifically.

Fix by rejecting images where img_header->Length exceeds the
available destination space.